aboutsummaryrefslogtreecommitdiff
path: root/src/libstore/build.cc
diff options
context:
space:
mode:
authorEelco Dolstra <eelco.dolstra@logicblox.com>2015-01-08 16:39:07 +0100
committerEelco Dolstra <eelco.dolstra@logicblox.com>2015-01-08 16:39:07 +0100
commit27b7b94923d2f207781b438bb7a57669bddf7d2b (patch)
tree93f929dd2b506ae139776b637f71b202ed0bec30 /src/libstore/build.cc
parent128538ef06aa1075b82a1c559e11f6e445514858 (diff)
Set /nix/store permission to 1737
I.e., not readable to the nixbld group. This improves purity a bit for non-chroot builds, because it prevents a builder from enumerating store paths (i.e. it can only access paths it knows about).
Diffstat (limited to 'src/libstore/build.cc')
-rw-r--r--src/libstore/build.cc15
1 files changed, 0 insertions, 15 deletions
diff --git a/src/libstore/build.cc b/src/libstore/build.cc
index e73e4a4a3..5817611d4 100644
--- a/src/libstore/build.cc
+++ b/src/libstore/build.cc
@@ -1736,21 +1736,6 @@ void DerivationGoal::startBuilder()
/* Change ownership of the temporary build directory. */
if (chown(tmpDir.c_str(), buildUser.getUID(), buildUser.getGID()) == -1)
throw SysError(format("cannot change ownership of ‘%1%’") % tmpDir);
-
- /* Check that the Nix store has the appropriate permissions,
- i.e., owned by root and mode 1775 (sticky bit on so that
- the builder can create its output but not mess with the
- outputs of other processes). */
- struct stat st;
- if (stat(settings.nixStore.c_str(), &st) == -1)
- throw SysError(format("cannot stat ‘%1%’") % settings.nixStore);
- if (!(st.st_mode & S_ISVTX) ||
- ((st.st_mode & S_IRWXG) != S_IRWXG) ||
- (st.st_gid != buildUser.getGID()))
- throw Error(format(
- "builder does not have write permission to ‘%2%’; "
- "try ‘chgrp %1% %2%; chmod 1775 %2%’")
- % buildUser.getGID() % settings.nixStore);
}