Browse files

Linux sandbox: Use /build instead of /tmp as $TMPDIR

There is a security issue when a build accidentally stores its $TMPDIR
in some critical place, such as an RPATH. If
TMPDIR=/tmp/nix-build-..., then any user on the system can recreate
that directory and inject libraries into the RPATH of programs
executed by other users. Since /build probably doesn't exist (or isn't
world-writable), this mitigates the issue.
  • Loading branch information...
edolstra committed May 4, 2017
1 parent 2da6a42 commit eba840c8a13b465ace90172ff76a0db2899ab11b
Showing with 15 additions and 5 deletions.
  1. +15 −5 src/libstore/
@@ -1661,6 +1661,9 @@ int childEntry(void * arg)
const std::string buildDir = "/build";
void DerivationGoal::startBuilder()
auto f = format(
@@ -1721,7 +1724,14 @@ void DerivationGoal::startBuilder()
/* In a sandbox, for determinism, always use the same temporary
directory. */
#if __linux__
tmpDirInSandbox = useChroot ? buildDir : tmpDir;
#elif __APPLE__
// On Darwin, we canonize /tmp because its probably a symlink to /private/tmp.
tmpDirInSandbox = useChroot ? canonPath("/tmp", true) + "/nix-build-" + drvName + "-0" : tmpDir;
tmpDirInSandbox = tmpDir;
/* Substitute output placeholders with the actual output paths. */
@@ -1829,11 +1839,11 @@ void DerivationGoal::startBuilder()
Samba-in-QEMU. */
createDirs(chrootRootDir + "/etc");
writeFile(chrootRootDir + "/etc/passwd",
"root:x:0:0:Nix build user:/:/noshell\n"
"nixbld:x:%1%:%2%:Nix build user:/:/noshell\n"
"nobody:x:65534:65534:Nobody:/:/noshell\n") % sandboxUid % sandboxGid).str());
writeFile(chrootRootDir + "/etc/passwd", fmt(
"root:x:0:0:Nix build user:%3%:/noshell\n"
"nixbld:x:%1%:%2%:Nix build user:%3%:/noshell\n"
sandboxUid, sandboxGid, buildDir));
/* Declare the build user's group so that programs get a consistent
view of the system (e.g., "id -gn"). */

0 comments on commit eba840c

Please sign in to comment.