From df7ecf34cc68bc9f1d03057381a56c193255049a Mon Sep 17 00:00:00 2001
From: Thomas Gerbet <thomas@gerbet.me>
Date: Thu, 1 Aug 2024 19:26:05 +0200
Subject: [PATCH] stdenv: make sure the `env-vars` file created is not world
 readable

Under some circumstances this file might contain private information
that should not be accessible to everybody.

(cherry picked from commit c47a1e701df7f00352b8cf401fa79c0d2f5fcc59)
---
 pkgs/stdenv/generic/setup.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkgs/stdenv/generic/setup.sh b/pkgs/stdenv/generic/setup.sh
index d7521b1ad5da7..07f584ff22acb 100644
--- a/pkgs/stdenv/generic/setup.sh
+++ b/pkgs/stdenv/generic/setup.sh
@@ -981,7 +981,7 @@ substituteAllInPlace() {
 # the environment used for building.
 dumpVars() {
     if [ "${noDumpEnvVars:-0}" != 1 ]; then
-        export 2>/dev/null >| "$NIX_BUILD_TOP/env-vars" || true
+        install -m 0600 <(export 2>/dev/null) "$NIX_BUILD_TOP/env-vars" || true
     fi
 }