Set permissions on temporary build directories to 0700? #39

edolstra opened this Issue Jul 25, 2012 · 0 comments


None yet
1 participant

edolstra commented Jul 25, 2012

The CVE-2012-3386 issue in libpng (unpacked source tarball was world-writable, allowing other users to interfere with the build) made me think that maybe we should change the permissions on /tmp/nix-build-* to 0700 to prevent this kind of scenario.

The downside is that you wouldn't be able to inspect what's going on in a build while it's running. (When -K is given, we should at least change the permissions back to 0755 after the build fails.)

@ghost ghost assigned edolstra Jul 25, 2012

@edolstra edolstra closed this in 3a4623a Jul 26, 2012

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment