buildserver: /vagrant/cache writeable only by root

Prevent build processes from modifying the cache, it is only needed during provisioning anyway. A malicious build could still use sudo to change the cache, but this is more to prevent mistaken modifications.
2024-11-20 13:50:12 +01:00 · 2016-06-15 12:47:16 +02:00 · 2016-06-15 12:47:16 +02:00 · d0bb6f73bf
commit d0bb6f73bf
parent 6ea2508127
1 changed files with 2 additions and 1 deletions
--- a/3
+++ b/3
@ -363,7 +363,8 @@ if 'aptproxy' in config and config['aptproxy']:
 # does not need a custom mount
 if cachedir != 'buildserver/cache':
    vagrantfile += """
-  config.vm.synced_folder '{0}', '/vagrant/cache'
+  config.vm.synced_folder '{0}', '/vagrant/cache',
+    owner: 'root', group: 'root', create: true
 """.format(cachedir)

 # cache .deb packages on the host via a mount trick