Security Advisory: Environment variables accessible during a build might be world readable

Impact

nixpkgs exposes the environment variables accessible during a build in an env-vars file to aid in debugging broken builds.

If the temporary build directory is world-readable, the generated env-vars file is also accessible to everyone.

This can be problematic during impure builds, as the environment variables of your current session may contain sensitive information or secrets. An impure build might e.g. be started, when the nix-shell command is invoked in an interactive setting.

The following example creates a /tmp/env-vars file containing the environment variables from your current session:

$> TMPDIR=/tmp nix-shell -p hello
$> cat /tmp/env-vars

Patches

The env-vars file is created with 0600 permissions instead of 0644 since the following patches:

Depending on your situation you might want to revoke the secrets that may have been exposed.

6 Likes