Put the chroot inside a directory that isn't group/world-accessible

Previously, the .chroot directory had permission 750 or 755 (depending on the uid-range system feature) and was owned by root/nixbld. This makes it possible for any nixbld user (if uid-range is disabled) or any user (if uid-range is enabled) to inspect the contents of the chroot of an active build and maybe interfere with it (e.g. via /tmp in the chroot, which has 1777 permission). To prevent this, the root is now a subdirectory of .chroot, which has permission 700 and is owned by root/root. (cherry picked from commit ede95b1fc1)
2025-12-23 09:21:09 +01:00 · 2024-05-14 13:00:00 +02:00 · 2024-05-14 13:00:00 +02:00 · 0882b75ceb
commit 0882b75ceb
parent a156c597ff
2 changed files with 19 additions and 5 deletions
--- a/src/libstore/unix/build/local-derivation-goal.hh
+++ b/src/libstore/unix/build/local-derivation-goal.hh
@ -65,6 +65,16 @@ struct LocalDerivationGoal : public DerivationGoal
     */
    bool useChroot = false;

+    /**
+     * The parent directory of `chrootRootDir`. It has permission 700
+     * and is owned by root to ensure other users cannot mess with
+     * `chrootRootDir`.
+     */
+    Path chrootParentDir;
+
+    /**
+     * The root of the chroot environment.
+     */
    Path chrootRootDir;

    /**