buildserver: /vagrant/cache writeable only by root

Prevent build processes from modifying the cache, it is only needed
during provisioning anyway. A malicious build could still use sudo to
change the cache, but this is more to prevent mistaken modifications.

diff --git a/makebuildserver b/makebuildserver
index d44e559d9b8ebd41e448b256acafc17c06dc6146..0f5cb86e54f6caec9f8b9cf9c0c57ca82386d01b 100755 (executable)
--- a/makebuildserver
+++ b/makebuildserver
@@ -363,7 +363,8 @@ if 'aptproxy' in config and config['aptproxy']:
 # does not need a custom mount
 if cachedir != 'buildserver/cache':
     vagrantfile += """
-  config.vm.synced_folder '{0}', '/vagrant/cache'
+  config.vm.synced_folder '{0}', '/vagrant/cache',
+    owner: 'root', group: 'root', create: true
 """.format(cachedir)
 
 # cache .deb packages on the host via a mount trick