Impact
nixpkgs exposes the environment variables accessible during a build in an env-vars
file to aid in debugging broken builds.
If the temporary build directory is world-readable, the generated env-vars
file is also accessible to everyone.
This can be problematic during impure builds, as the environment variables of your current session may contain sensitive information or secrets. An impure build might e.g. be started, when the nix-shell
command is invoked in an interactive setting.
The following example creates a /tmp/env-vars
file containing the environment variables from your current session:
$> TMPDIR=/tmp nix-shell -p hello
$> cat /tmp/env-vars
Patches
The env-vars
file is created with 0600
permissions instead of 0644
since the following patches:
- Unstable: stdenv: make sure the `env-vars` file created is not world readable by LeSuisse · Pull Request #331576 · NixOS/nixpkgs · GitHub (PR progress tracker, if you are a Darwin user you also want stdenv: create `env-vars` file before writing data to it by LeSuisse · Pull Request #335593 · NixOS/nixpkgs · GitHub)
- 24.05: [Backport staging-24.05] stdenv: make sure the `env-vars` file created is not world readable by github-actions[bot] · Pull Request #332347 · NixOS/nixpkgs · GitHub (PR progress tracker)
Depending on your situation you might want to revoke the secrets that may have been exposed.