stdenv: make sure the env-vars file created is not world readable

Under some circumstances this file might contain private information that should not be accessible to everybody. (cherry picked from commit c47a1e7)
NixOS · Aug 4, 2024 · df7ecf3 · df7ecf3
1 parent 641fa22
commit df7ecf3
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/pkgs/stdenv/generic/setup.sh b/pkgs/stdenv/generic/setup.sh
@@ -981,7 +981,7 @@ substituteAllInPlace() {
 # the environment used for building.
 dumpVars() {
     if [ "${noDumpEnvVars:-0}" != 1 ]; then
-        export 2>/dev/null >| "$NIX_BUILD_TOP/env-vars" || true
+        install -m 0600 <(export 2>/dev/null) "$NIX_BUILD_TOP/env-vars" || true
     fi
 }