Skip to content
Snippets Groups Projects
Unverified Commit eba840c8 authored by Eelco Dolstra's avatar Eelco Dolstra
Browse files

Linux sandbox: Use /build instead of /tmp as $TMPDIR 

There is a security issue when a build accidentally stores its $TMPDIR
in some critical place, such as an RPATH. If
TMPDIR=/tmp/nix-build-..., then any user on the system can recreate
that directory and inject libraries into the RPATH of programs
executed by other users. Since /build probably doesn't exist (or isn't
world-writable), this mitigates the issue.
parent 2da6a424
No related branches found
No related tags found
Hide whitespace changes
Inline Side-by-side
Showing
with 15 additions and 5 deletions
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment