Impact
nixpkgs exposes the environment variables accessible during a build in an env-vars file to aid in debugging broken builds.
If the temporary build directory is world-readable, the generated env-vars file is also accessible to everyone.
This can be problematic during impure builds, as the environment variables of your current session may contain sensitive information or secrets. An impure build might e.g. be started, when the nix-shell command is invoked in an interactive setting.
The following example creates a /tmp/env-vars file containing the environment variables from your current session:
$> TMPDIR=/tmp nix-shell -p hello
$> cat /tmp/env-vars
Patches
The env-vars file is created with 0600 permissions instead of 0644 since the following patches:
- Unstable: stdenv: make sure the `env-vars` file created is not world readable by LeSuisse · Pull Request #331576 · NixOS/nixpkgs · GitHub (PR progress tracker, if you are a Darwin user you also want stdenv: create `env-vars` file before writing data to it by LeSuisse · Pull Request #335593 · NixOS/nixpkgs · GitHub)
- 24.05: [Backport staging-24.05] stdenv: make sure the `env-vars` file created is not world readable by github-actions[bot] · Pull Request #332347 · NixOS/nixpkgs · GitHub (PR progress tracker)
Depending on your situation you might want to revoke the secrets that may have been exposed.