sanity: Check for setgid/setuid TMPDIR

Submitted by Richard Purdie on July 23, 2014, 4:05 p.m. | Patch ID: 76487


Message ID 1406131544.22985.126.camel@ted
State New
Headers show

Commit Message

Richard Purdie July 23, 2014, 4:05 p.m.
Building in a TMPDIR which has setgid or setuid is a bad idea. We could try and reset
the permissions but since these can also invade into other directories like the cache
or sstate, lets tell the user to fix it instead.

[YOCTO #6519]

Signed-off-by: Richard Purdie <>

Patch hide | download patch | download mbox

diff --git a/meta/classes/sanity.bbclass b/meta/classes/sanity.bbclass
index ed65814..367b68e 100644
--- a/meta/classes/sanity.bbclass
+++ b/meta/classes/sanity.bbclass
@@ -514,6 +514,7 @@  def check_sanity_version_change(status, d):
         import xml.parsers.expat
     except ImportError:
         status.addresult('Your python is not a full install. Please install the module xml.parsers.expat (python-xml on openSUSE and SUSE Linux).\n')
+    import stat
@@ -566,6 +567,11 @@  def check_sanity_version_change(status, d):
     # Check that TMPDIR isn't on a filesystem with limited filename length (eg. eCryptFS)
     tmpdir = d.getVar('TMPDIR', True)
     status.addresult(check_create_long_filename(tmpdir, "TMPDIR"))
+    tmpdirmode = os.stat(tmpdir).st_mode
+    if (tmpdirmode & stat.S_ISGID):
+        status.addresult("TMPDIR is setgid, please don't build in a setgid directory")
+    if (tmpdirmode & stat.S_ISUID):
+        status.addresult("TMPDIR is setuid, please don't build in a setgid directory")
     # Some third-party software apparently relies on chmod etc. being suid root (!!)
     import stat


Chris Larson July 23, 2014, 4:14 p.m.
On Wed, Jul 23, 2014 at 9:05 AM, Richard Purdie <> wrote:

> +        status.addresult("TMPDIR is setuid, please don't build in a
> setgid directory")

Minor typo, s/setgid directory/setuid directory/.