| 15 Jul 2025 |
 raitobezarius (DECT: 7248) | If a parent directory is replaced with a symlink between the call to getdents and the call to openat, the next openat call will operate on the unexpected directory… | 18:00:14 |
| raitobezarius (DECT: 7248) | So yeah, you could just symlink /tmp/SOMETHING | 18:00:37 |
| raitobezarius (DECT: 7248) | But honestly, in the case of /nix/var/nix/builds | 18:00:58 |
| raitobezarius (DECT: 7248) | What are you going to delete? | 18:01:07 |
| raitobezarius (DECT: 7248) | /nix/var/nix ? | 18:01:10 |
| raitobezarius (DECT: 7248) | or /nix/var/nix/builds ? | 18:01:16 |
| raitobezarius (DECT: 7248) | doesn't matter that much? | 18:01:19 |
| raitobezarius (DECT: 7248) | You cannot recreate because it's stronger security than living in /tmp, right? | 18:01:31 |
 aloisw | I'm talking about the fallback, where you can still empty /tmp and it's the same as before except you have to create two directories? | 18:01:51 |
| raitobezarius (DECT: 7248) | Indeed, the fallback logic does that | 18:02:00 |
| raitobezarius (DECT: 7248) | Maybe the takeaway is that fallback is a bad idea | 18:02:12 |
| aloisw | /nix/var/nix/builds is of course unaffected because no component is world writable. | 18:02:18 |
| raitobezarius (DECT: 7248) | But we are running in an impossible tension when it comes to that logic | 18:02:19 |
| raitobezarius (DECT: 7248) | The fallback logic exist when you run Nix as an unprivileged user that cannot mutate /nix/var/nix/builds | 18:02:37 |
| raitobezarius (DECT: 7248) | What this points out to is probably that the build directory should live in the user private tmp? | 18:03:01 |
| raitobezarius (DECT: 7248) | So, /run/user/$UID ? | 18:03:11 |
| raitobezarius (DECT: 7248) | How about this? | 18:03:28 |
| raitobezarius (DECT: 7248) | Fallback logic tries to go for /run/user/$UID first then fallback to /tmp | 18:03:38 |
| raitobezarius (DECT: 7248) | The tmp fallback seems inevitable for… other platforms than Linux/systemd I suppose? | 18:03:48 |
| raitobezarius (DECT: 7248) | In reply to @me:indeednotjames.com
uh sure, can look into this if jade is currently away/afk (go ahead) | 18:04:45 |
| raitobezarius (DECT: 7248) | In reply to @raitobezarius:matrix.org
The fallback logic exist when you run Nix as an unprivileged user that cannot mutate /nix/var/nix/builds And to finish my reasoning: either you have a nice location that you know has no world writable component, but you need to find one that makes sense for the user and is writable for you, either you don't and the world writable locations are not too bad for that? | 18:05:24 |
| raitobezarius (DECT: 7248) | The best is the former, the worse is the latter | 18:05:53 |
| aloisw | In reply to @raitobezarius:matrix.org
Fallback logic tries to go for /run/user/$UID first then fallback to /tmp Is it big enough?
tmpfs on /run/user/1000 type tmpfs (rw,nosuid,nodev,relatime,size=4045880k,nr_inodes=1011470,mode=700,uid=1000,gid=100)
| 18:09:30 |
| raitobezarius (DECT: 7248) | that's my concern as well… | 18:09:44 |
| raitobezarius (DECT: 7248) | but can be fixe | 18:09:46 |
| raitobezarius (DECT: 7248) | * but can be fixed | 18:09:47 |
| raitobezarius (DECT: 7248) | and also supposed to stage only builds that cannot go via /nix/var/nix/builds | 18:09:54 |
| aloisw | Agreed, the hardening also seems a lot more important in the privileged case anyway. | 18:13:13 |
| aloisw | Or maybe not, given that the arbitrary directory delete may not come from Lix? But I fail to come up with a reasonable threat model here in any case. | 18:14:39 |
| aloisw | Also we might need to nest the build directory in a not world-executable path to prevent the builder from allowing external processes to place sockets into it? | 18:18:52 |
