libstore: Don't default build-dir to temp-dir, store setting

If a build directory is accessible to other users it is possible to smuggle data in and out of build directories. Usually this is only a build purity problem, but in combination with other issues it can be used to break out of a build sandbox. to prevent this we default to using a subdirectory of nixStateDir (which is more restrictive). (cherry picked from pennae Lix commit 55b416f6897fb0d8a9315a530a9b7f0914458ded) (store setting done by roberth)
2025-06-24 22:11:15 +02:00 · 2025-03-30 16:45:34 +02:00 · 2025-03-30 16:45:34 +02:00 · 88b7db1ba4
commit 88b7db1ba4
parent 9af4c267c6
11 changed files with 62 additions and 15 deletions
--- a/tests/functional/build-remote-trustless-should-fail-0.sh
+++ b/tests/functional/build-remote-trustless-should-fail-0.sh
@ -12,7 +12,6 @@ requiresUnprivilegedUserNamespaces
 [[ $busybox =~ busybox ]] || skipTest "no busybox"

 unset NIX_STORE_DIR
-unset NIX_STATE_DIR

 # We first build a dependency of the derivation we eventually want to
 # build.
--- a/tests/functional/build-remote-trustless.sh
+++ b/tests/functional/build-remote-trustless.sh
@ -9,7 +9,6 @@ requiresUnprivilegedUserNamespaces
 [[ "$busybox" =~ busybox ]] || skipTest "no busybox"

 unset NIX_STORE_DIR
-unset NIX_STATE_DIR

 remoteDir=$TEST_ROOT/remote

--- a/tests/functional/build-remote.sh
+++ b/tests/functional/build-remote.sh
@ -8,7 +8,6 @@ requiresUnprivilegedUserNamespaces

 # Avoid store dir being inside sandbox build-dir
 unset NIX_STORE_DIR
-unset NIX_STATE_DIR

 function join_by { local d=$1; shift; echo -n "$1"; shift; printf "%s" "${@/#/$d}"; }

--- a/tests/functional/supplementary-groups.sh
+++ b/tests/functional/supplementary-groups.sh
@ -14,7 +14,6 @@ execUnshare <<EOF

  # Avoid store dir being inside sandbox build-dir
  unset NIX_STORE_DIR
-  unset NIX_STATE_DIR

  setLocalStore () {
    export NIX_REMOTE=\$TEST_ROOT/\$1