Disallow the build directory having world-writable parents

Author: edolstra

src/libstore/unix/build/derivation-builder.cc

@@ -698,6 +698,18 @@ static void handleChildException(bool sendException)
     }
 }
 
+static bool checkNotWorldWritable(std::filesystem::path path)
+{
+    while (true) {
+        auto st = lstat(path);
+        if (st.st_mode & S_IWOTH)
+            return false;
+        if (path == path.parent_path()) break;
+        path = path.parent_path();
+    }
+    return true;
+}
+
 void DerivationBuilderImpl::startBuilder()
 {
     /* Make sure that no other processes are executing under the
@@ -729,6 +741,9 @@ void DerivationBuilderImpl::startBuilder()
 
     createDirs(buildDir);
 
+    if (buildUser && !checkNotWorldWritable(buildDir))
+        throw Error("Path %s or a parent directory is world-writable or a symlink. That's not allowed for security.", buildDir);
+
     /* Create a temporary directory where the build will take
        place. */
     topTmpDir = createTempDir(buildDir, "nix-build-" + std::string(drvPath.name()), 0700);

tests/nixos/chroot-store.nix

@@ -41,5 +41,9 @@ in
 
       # Test that /nix/store is available via an overlayfs mount.
       machine.succeed("nix shell --store /tmp/nix ${pkgA} --command cowsay foo >&2")
+
+      # Building in /tmp should fail for security reasons.
+      err = machine.fail("nix build --offline --store /tmp/nix --expr 'builtins.derivation { name = \"foo\"; system = \"x86_64-linux\"; builder = \"/foo\"; }' 2>&1")
+      assert "is world-writable" in err
     '';
 }