chmod the /build subdir to 750

Due to unknown reasons, some packages (notably yarn and npm) will stall during a build process. This causes a major problem, because the process cannot be killed and a cold-reset is needed to restart the system (a shutdown or reboot will hang trying to umount the partition where the build is happening). By letting the `/build` subdirectory be group-readable by the nixbld group, the problem is fixed. Also we do not sacrifice build privacy, because the parrent directory is owned by `root` and set to `700`. So even if we have a malicious setguid binary in one build and another tries to run it, it cannot access it because the parent folder is owned by `root`. fixes #11806 fixes NixOS/nixpkgs#353709 Signed-off-by: Florian Brandes <[email protected]>
NixOS · Nov 5, 2024 · e568727 · e568727
1 parent b4c05a1
commit e568727
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/src/libstore/unix/build/local-derivation-goal.cc b/src/libstore/unix/build/local-derivation-goal.cc
@@ -555,7 +555,7 @@ void LocalDerivationGoal::startBuilder()
            possible. Any mitigation along these lines would have to be
            done directly in the sandbox profile. */
         tmpDir = topTmpDir + "/build";
-        createDir(tmpDir, 0700);
+        createDir(tmpDir, 0750);
     } else {
         tmpDir = topTmpDir;
     }