* Remove write permission from output paths after they have been built.

* Point $HOME to a non-existing path when building to prevent certain tools (such as wget) from falling back on /etc/passwd to locate the home directory (which we don't want them to look at since it's not declared as an input).
2025-07-06 21:41:48 +02:00 · 2003-08-22 20:12:44 +00:00 · 2003-08-22 20:12:44 +00:00 · a88144215c
commit a88144215c
parent 56b98c3857
3 changed files with 52 additions and 6 deletions
--- a/src/normalise.cc
+++ b/src/normalise.cc
@ -131,6 +131,14 @@ FSId normaliseFState(FSId id, FSIdSet pending)
       value. */
    env["PATH"] = "/path-not-set";

+    /* Set HOME to a non-existing path to prevent certain programs from using
+       /etc/passwd (or NIS, or whatever) to locate the home directory (for
+       example, wget looks for ~/.wgetrc).  I.e., these tools use /etc/passwd
+       if HOME is not set, but they will just assume that the settings file
+       they are looking for does not exist if HOME is set but points to some
+       non-existing path. */
+    env["HOME"] = "/homeless-shelter";
+
    /* Build the environment. */
    for (StringPairs::iterator i = fs.derive.env.begin();
         i != fs.derive.env.end(); i++)
@ -178,7 +186,8 @@ FSId normaliseFState(FSId id, FSIdSet pending)
        msg(lvlChatty, format("fast build succesful"));

    /* Check whether the output paths were created, and grep each
-       output path to determine what other paths it references. */
+       output path to determine what other paths it references.  Also make all
+       output paths read-only. */
    StringSet usedPaths;
    for (DeriveOutputs::iterator i = fs.derive.outputs.begin(); 
         i != fs.derive.outputs.end(); i++)
@ -188,10 +197,12 @@ FSId normaliseFState(FSId id, FSIdSet pending)
            throw Error(format("path `%1%' does not exist") % path);
        nfFS.slice.roots.insert(path);

+	makePathReadOnly(path);
+
 	/* For this output path, find the references to other paths contained
 	   in it. */
        Strings refPaths = filterReferences(path, 
-	    Strings(allPaths.begin(), allPaths.end()));
+					    Strings(allPaths.begin(), allPaths.end()));

 	/* Construct a slice element for this output path. */
        SliceElem elem;