Linux sandbox: Use /build instead of /tmp as $TMPDIR
There is a security issue when a build accidentally stores its $TMPDIR in some critical place, such as an RPATH. If TMPDIR=/tmp/nix-build-..., then any user on the system can recreate that directory and inject libraries into the RPATH of programs executed by other users. Since /build probably doesn't exist (or isn't world-writable), this mitigates the issue.
This commit is contained in:
parent
2da6a42448
commit
eba840c8a1
1 changed files with 15 additions and 5 deletions
|
@ -1661,6 +1661,9 @@ int childEntry(void * arg)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
const std::string buildDir = "/build";
|
||||||
|
|
||||||
|
|
||||||
void DerivationGoal::startBuilder()
|
void DerivationGoal::startBuilder()
|
||||||
{
|
{
|
||||||
auto f = format(
|
auto f = format(
|
||||||
|
@ -1721,7 +1724,14 @@ void DerivationGoal::startBuilder()
|
||||||
|
|
||||||
/* In a sandbox, for determinism, always use the same temporary
|
/* In a sandbox, for determinism, always use the same temporary
|
||||||
directory. */
|
directory. */
|
||||||
|
#if __linux__
|
||||||
|
tmpDirInSandbox = useChroot ? buildDir : tmpDir;
|
||||||
|
#elif __APPLE__
|
||||||
|
// On Darwin, we canonize /tmp because its probably a symlink to /private/tmp.
|
||||||
tmpDirInSandbox = useChroot ? canonPath("/tmp", true) + "/nix-build-" + drvName + "-0" : tmpDir;
|
tmpDirInSandbox = useChroot ? canonPath("/tmp", true) + "/nix-build-" + drvName + "-0" : tmpDir;
|
||||||
|
#else
|
||||||
|
tmpDirInSandbox = tmpDir;
|
||||||
|
#endif
|
||||||
chownToBuilder(tmpDir);
|
chownToBuilder(tmpDir);
|
||||||
|
|
||||||
/* Substitute output placeholders with the actual output paths. */
|
/* Substitute output placeholders with the actual output paths. */
|
||||||
|
@ -1829,11 +1839,11 @@ void DerivationGoal::startBuilder()
|
||||||
Samba-in-QEMU. */
|
Samba-in-QEMU. */
|
||||||
createDirs(chrootRootDir + "/etc");
|
createDirs(chrootRootDir + "/etc");
|
||||||
|
|
||||||
writeFile(chrootRootDir + "/etc/passwd",
|
writeFile(chrootRootDir + "/etc/passwd", fmt(
|
||||||
(format(
|
"root:x:0:0:Nix build user:%3%:/noshell\n"
|
||||||
"root:x:0:0:Nix build user:/:/noshell\n"
|
"nixbld:x:%1%:%2%:Nix build user:%3%:/noshell\n"
|
||||||
"nixbld:x:%1%:%2%:Nix build user:/:/noshell\n"
|
"nobody:x:65534:65534:Nobody:/:/noshell\n",
|
||||||
"nobody:x:65534:65534:Nobody:/:/noshell\n") % sandboxUid % sandboxGid).str());
|
sandboxUid, sandboxGid, buildDir));
|
||||||
|
|
||||||
/* Declare the build user's group so that programs get a consistent
|
/* Declare the build user's group so that programs get a consistent
|
||||||
view of the system (e.g., "id -gn"). */
|
view of the system (e.g., "id -gn"). */
|
||||||
|
|
Loading…
Reference in a new issue