From: Hans-Christoph Steiner <hans@eds.org>
Date: Wed, 15 Jun 2016 10:47:16 +0000 (+0200)
Subject: buildserver: /vagrant/cache writeable only by root
X-Git-Tag: 0.7.0~49^2~2
X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=commitdiff_plain;h=d0bb6f73bfeaf5b74b4146a86e1470976b9a4d80;p=fdroidserver.git

buildserver: /vagrant/cache writeable only by root

Prevent build processes from modifying the cache, it is only needed
during provisioning anyway. A malicious build could still use sudo to
change the cache, but this is more to prevent mistaken modifications.
---

diff --git a/makebuildserver b/makebuildserver
index d44e559d..0f5cb86e 100755
--- a/makebuildserver
+++ b/makebuildserver
@@ -363,7 +363,8 @@ if 'aptproxy' in config and config['aptproxy']:
 # does not need a custom mount
 if cachedir != 'buildserver/cache':
     vagrantfile += """
-  config.vm.synced_folder '{0}', '/vagrant/cache'
+  config.vm.synced_folder '{0}', '/vagrant/cache',
+    owner: 'root', group: 'root', create: true
 """.format(cachedir)
 
 # cache .deb packages on the host via a mount trick