Disallow the build directory having world-writable parents

2025-06-24 22:11:15 +02:00 · 2025-06-12 11:04:07 +02:00 · 2025-06-12 11:04:07 +02:00 · 5acf50a327
commit 5acf50a327
parent 88b7db1ba4
2 changed files with 19 additions and 0 deletions
--- a/tests/nixos/chroot-store.nix
+++ b/tests/nixos/chroot-store.nix
@ -41,5 +41,9 @@ in

      # Test that /nix/store is available via an overlayfs mount.
      machine.succeed("nix shell --store /tmp/nix ${pkgA} --command cowsay foo >&2")
+
+      # Building in /tmp should fail for security reasons.
+      err = machine.fail("nix build --offline --store /tmp/nix --expr 'builtins.derivation { name = \"foo\"; system = \"x86_64-linux\"; builder = \"/foo\"; }' 2>&1")
+      assert "is world-writable" in err
    '';
 }