about summary refs log tree commit diff
path: root/src/libstore/nar-info-disk-cache.cc
diff options
context:
space:
mode:
authorEelco Dolstra <edolstra@gmail.com>2017-05-04T14·57+0200
committerEelco Dolstra <edolstra@gmail.com>2017-05-04T14·57+0200
commiteba840c8a13b465ace90172ff76a0db2899ab11b (patch)
tree031a4794e1b38ad6fc6d0cc94557755c0896b4fb /src/libstore/nar-info-disk-cache.cc
parent2da6a424486e16b4b30e448a15a9b4a608df602d (diff)
Linux sandbox: Use /build instead of /tmp as $TMPDIR
There is a security issue when a build accidentally stores its $TMPDIR
in some critical place, such as an RPATH. If
TMPDIR=/tmp/nix-build-..., then any user on the system can recreate
that directory and inject libraries into the RPATH of programs
executed by other users. Since /build probably doesn't exist (or isn't
world-writable), this mitigates the issue.
Diffstat (limited to 'src/libstore/nar-info-disk-cache.cc')
0 files changed, 0 insertions, 0 deletions