From 27b7b94923d2f207781b438bb7a57669bddf7d2b Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <eelco.dolstra@logicblox.com>
Date: Thu, 8 Jan 2015 16:39:07 +0100
Subject: Set /nix/store permission to 1737

I.e., not readable to the nixbld group. This improves purity a bit for
non-chroot builds, because it prevents a builder from enumerating
store paths (i.e. it can only access paths it knows about).
---
 src/libstore/build.cc | 15 ---------------
 1 file changed, 15 deletions(-)

(limited to 'src/libstore/build.cc')

diff --git a/src/libstore/build.cc b/src/libstore/build.cc
index e73e4a4a3..5817611d4 100644
--- a/src/libstore/build.cc
+++ b/src/libstore/build.cc
@@ -1736,21 +1736,6 @@ void DerivationGoal::startBuilder()
         /* Change ownership of the temporary build directory. */
         if (chown(tmpDir.c_str(), buildUser.getUID(), buildUser.getGID()) == -1)
             throw SysError(format("cannot change ownership of ‘%1%’") % tmpDir);
-
-        /* Check that the Nix store has the appropriate permissions,
-           i.e., owned by root and mode 1775 (sticky bit on so that
-           the builder can create its output but not mess with the
-           outputs of other processes). */
-        struct stat st;
-        if (stat(settings.nixStore.c_str(), &st) == -1)
-            throw SysError(format("cannot stat ‘%1%’") % settings.nixStore);
-        if (!(st.st_mode & S_ISVTX) ||
-            ((st.st_mode & S_IRWXG) != S_IRWXG) ||
-            (st.st_gid != buildUser.getGID()))
-            throw Error(format(
-                "builder does not have write permission to ‘%2%’; "
-                "try ‘chgrp %1% %2%; chmod 1775 %2%’")
-                % buildUser.getGID() % settings.nixStore);
     }
 
 
-- 
cgit v1.2.3