nixos/nix
1
1
Fork 0
mirror of https://github.com/NixOS/nix.git synced 2025-11-14 22:42:41 +01:00
Code Activity

libstore: Don't default build-dir to temp-dir, store setting

Browse source 
If a build directory is accessible to other users it is possible to
smuggle data in and out of build directories. Usually this is only
a build purity problem, but in combination with other issues it can
be used to break out of a build sandbox. to prevent this we default
to using a subdirectory of nixStateDir (which is more restrictive).

(cherry picked from pennae Lix commit 55b416f6897fb0d8a9315a530a9b7f0914458ded)
(store setting done by roberth)
This commit is contained in:
eldritch horrors 2025-03-30 16:45:34 +02:00 committed by Jörg Thalheim
parent 9af4c267c6
commit 88b7db1ba4
11 changed files with 62 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

6
src/libstore/unix/build/derivation-builder.cc
View file

@ -725,9 +725,13 @@ void DerivationBuilderImpl::startBuilder()
throw BuildError(msg);
}
auto buildDir = getLocalStore(store).config->getBuildDir();
createDirs(buildDir);
/* Create a temporary directory where the build will take
place. */
topTmpDir = createTempDir(settings.buildDir.get().value_or(""), "nix-build-" + std::string(drvPath.name()), 0700);
topTmpDir = createTempDir(buildDir, "nix-build-" + std::string(drvPath.name()), 0700);
setBuildTmpDir();
assert(!tmpDir.empty());