diff options
author | Eelco Dolstra <edolstra@gmail.com> | 2017-05-04T14·57+0200 |
---|---|---|
committer | Eelco Dolstra <edolstra@gmail.com> | 2017-05-04T14·57+0200 |
commit | eba840c8a13b465ace90172ff76a0db2899ab11b (patch) | |
tree | 031a4794e1b38ad6fc6d0cc94557755c0896b4fb /src/libstore | |
parent | 2da6a424486e16b4b30e448a15a9b4a608df602d (diff) |
Linux sandbox: Use /build instead of /tmp as $TMPDIR
There is a security issue when a build accidentally stores its $TMPDIR in some critical place, such as an RPATH. If TMPDIR=/tmp/nix-build-..., then any user on the system can recreate that directory and inject libraries into the RPATH of programs executed by other users. Since /build probably doesn't exist (or isn't world-writable), this mitigates the issue.
Diffstat (limited to 'src/libstore')
-rw-r--r-- | src/libstore/build.cc | 20 |
1 files changed, 15 insertions, 5 deletions
diff --git a/src/libstore/build.cc b/src/libstore/build.cc index 8c2602a701bd..6d20512e1f8e 100644 --- a/src/libstore/build.cc +++ b/src/libstore/build.cc @@ -1661,6 +1661,9 @@ int childEntry(void * arg) } +const std::string buildDir = "/build"; + + void DerivationGoal::startBuilder() { auto f = format( @@ -1721,7 +1724,14 @@ void DerivationGoal::startBuilder() /* In a sandbox, for determinism, always use the same temporary directory. */ +#if __linux__ + tmpDirInSandbox = useChroot ? buildDir : tmpDir; +#elif __APPLE__ + // On Darwin, we canonize /tmp because its probably a symlink to /private/tmp. tmpDirInSandbox = useChroot ? canonPath("/tmp", true) + "/nix-build-" + drvName + "-0" : tmpDir; +#else + tmpDirInSandbox = tmpDir; +#endif chownToBuilder(tmpDir); /* Substitute output placeholders with the actual output paths. */ @@ -1829,11 +1839,11 @@ void DerivationGoal::startBuilder() Samba-in-QEMU. */ createDirs(chrootRootDir + "/etc"); - writeFile(chrootRootDir + "/etc/passwd", - (format( - "root:x:0:0:Nix build user:/:/noshell\n" - "nixbld:x:%1%:%2%:Nix build user:/:/noshell\n" - "nobody:x:65534:65534:Nobody:/:/noshell\n") % sandboxUid % sandboxGid).str()); + writeFile(chrootRootDir + "/etc/passwd", fmt( + "root:x:0:0:Nix build user:%3%:/noshell\n" + "nixbld:x:%1%:%2%:Nix build user:%3%:/noshell\n" + "nobody:x:65534:65534:Nobody:/:/noshell\n", + sandboxUid, sandboxGid, buildDir)); /* Declare the build user's group so that programs get a consistent view of the system (e.g., "id -gn"). */ |