about summary refs log tree commit diff
diff options
context:
space:
mode:
authorEelco Dolstra <edolstra@gmail.com>2017-05-04T14·57+0200
committerEelco Dolstra <edolstra@gmail.com>2017-05-04T14·57+0200
commiteba840c8a13b465ace90172ff76a0db2899ab11b (patch)
tree031a4794e1b38ad6fc6d0cc94557755c0896b4fb
parent2da6a424486e16b4b30e448a15a9b4a608df602d (diff)
Linux sandbox: Use /build instead of /tmp as $TMPDIR
There is a security issue when a build accidentally stores its $TMPDIR
in some critical place, such as an RPATH. If
TMPDIR=/tmp/nix-build-..., then any user on the system can recreate
that directory and inject libraries into the RPATH of programs
executed by other users. Since /build probably doesn't exist (or isn't
world-writable), this mitigates the issue.
-rw-r--r--src/libstore/build.cc20
1 files changed, 15 insertions, 5 deletions
diff --git a/src/libstore/build.cc b/src/libstore/build.cc
index 8c2602a701bd..6d20512e1f8e 100644
--- a/src/libstore/build.cc
+++ b/src/libstore/build.cc
@@ -1661,6 +1661,9 @@ int childEntry(void * arg)
 }
 
 
+const std::string buildDir = "/build";
+
+
 void DerivationGoal::startBuilder()
 {
     auto f = format(
@@ -1721,7 +1724,14 @@ void DerivationGoal::startBuilder()
 
     /* In a sandbox, for determinism, always use the same temporary
        directory. */
+#if __linux__
+    tmpDirInSandbox = useChroot ? buildDir : tmpDir;
+#elif __APPLE__
+    // On Darwin, we canonize /tmp because its probably a symlink to /private/tmp.
     tmpDirInSandbox = useChroot ? canonPath("/tmp", true) + "/nix-build-" + drvName + "-0" : tmpDir;
+#else
+    tmpDirInSandbox = tmpDir;
+#endif
     chownToBuilder(tmpDir);
 
     /* Substitute output placeholders with the actual output paths. */
@@ -1829,11 +1839,11 @@ void DerivationGoal::startBuilder()
            Samba-in-QEMU. */
         createDirs(chrootRootDir + "/etc");
 
-        writeFile(chrootRootDir + "/etc/passwd",
-            (format(
-                "root:x:0:0:Nix build user:/:/noshell\n"
-                "nixbld:x:%1%:%2%:Nix build user:/:/noshell\n"
-                "nobody:x:65534:65534:Nobody:/:/noshell\n") % sandboxUid % sandboxGid).str());
+        writeFile(chrootRootDir + "/etc/passwd", fmt(
+                "root:x:0:0:Nix build user:%3%:/noshell\n"
+                "nixbld:x:%1%:%2%:Nix build user:%3%:/noshell\n"
+                "nobody:x:65534:65534:Nobody:/:/noshell\n",
+                sandboxUid, sandboxGid, buildDir));
 
         /* Declare the build user's group so that programs get a consistent
            view of the system (e.g., "id -gn"). */