nixos/nix
1
1
Fork 0
mirror of https://github.com/NixOS/nix.git synced 2025-11-15 15:02:42 +01:00
Code Activity

Run the builds in a daemon-controled directory

Browse source 
Instead of running the builds under
`$TMPDIR/{unique-build-directory-owned-by-the-build-user}`, run them
under `$TMPDIR/{unique-build-directory-owned-by-the-daemon}/{subdir-owned-by-the-build-user}`
where the build directory is only readable and traversable by the daemon user.

This achieves two things:

1. It prevents builders from making their build directory world-readable
   (or even writeable), which would allow the outside world to interact
   with them.
2. It prevents external processes running as the build user (either
   because that somehow leaked, maybe as a consequence of 1., or because
   `build-users` isn't in use) from gaining access to the build
   directory.
This commit is contained in:
Théophane Hufschmitt 2024-04-02 17:06:48 +02:00 committed by Eelco Dolstra
parent 717f3eea39
commit 1d3696f0fb
5 changed files with 25 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

5
src/libstore/unix/build/local-derivation-goal.cc
View file

@ -503,8 +503,9 @@ void LocalDerivationGoal::startBuilder()
/* Create a temporary directory where the build will take
place. */
tmpDir = createTempDir(settings.buildDir.get().value_or(""), "nix-build-" + std::string(drvPath.name()), false, false, 0700);
auto parentTmpDir = createTempDir(settings.buildDir.get().value_or(""), "nix-build-" + std::string(drvPath.name()), false, false, 0700);
tmpDir = parentTmpDir + "/build";
createDir(tmpDir, 0700);
chownToBuilder(tmpDir);
for (auto & [outputName, status] : initialOutputs) {