From 3a4623afbbc1bff85bde33167d36e8c5a4a3df0d Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <eelco.dolstra@logicblox.com>
Date: Thu, 26 Jul 2012 15:04:40 -0400
Subject: [PATCH] Set permissions on temporary build directories to 0700

Fixes #39.
---
 src/libstore/build.cc | 3 ++-
 src/libutil/util.cc   | 4 ++--
 src/libutil/util.hh   | 2 +-
 3 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/src/libstore/build.cc b/src/libstore/build.cc
index a3bde3462..290635695 100644
--- a/src/libstore/build.cc
+++ b/src/libstore/build.cc
@@ -1527,7 +1527,7 @@ void DerivationGoal::startBuilder()
 
     /* Create a temporary directory where the build will take
        place. */
-    tmpDir = createTempDir("", "nix-build-" + baseNameOf(drvPath), false, false);
+    tmpDir = createTempDir("", "nix-build-" + baseNameOf(drvPath), false, false, 0700);
 
     /* For convenience, set an environment pointing to the top build
        directory. */
@@ -2178,6 +2178,7 @@ void DerivationGoal::deleteTmpDir(bool force)
                 % drvPath % tmpDir);
             if (buildUser.enabled() && !amPrivileged())
                 getOwnership(tmpDir);
+            chmod(tmpDir.c_str(), 0755);
         }
         else
             deletePathWrapped(tmpDir);
diff --git a/src/libutil/util.cc b/src/libutil/util.cc
index b188a9fc0..689fc543a 100644
--- a/src/libutil/util.cc
+++ b/src/libutil/util.cc
@@ -380,7 +380,7 @@ static Path tempName(Path tmpRoot, const Path & prefix, bool includePid,
 
 
 Path createTempDir(const Path & tmpRoot, const Path & prefix,
-    bool includePid, bool useGlobalCounter)
+    bool includePid, bool useGlobalCounter, mode_t mode)
 {
     static int globalCounter = 0;
     int localCounter = 0;
@@ -389,7 +389,7 @@ Path createTempDir(const Path & tmpRoot, const Path & prefix,
     while (1) {
         checkInterrupt();
 	Path tmpDir = tempName(tmpRoot, prefix, includePid, counter);
-	if (mkdir(tmpDir.c_str(), 0777) == 0) {
+	if (mkdir(tmpDir.c_str(), mode) == 0) {
 	    /* Explicitly set the group of the directory.  This is to
 	       work around around problems caused by BSD's group
 	       ownership semantics (directories inherit the group of
diff --git a/src/libutil/util.hh b/src/libutil/util.hh
index 362d0f65e..9b8656f70 100644
--- a/src/libutil/util.hh
+++ b/src/libutil/util.hh
@@ -88,7 +88,7 @@ void makePathReadOnly(const Path & path);
 
 /* Create a temporary directory. */
 Path createTempDir(const Path & tmpRoot = "", const Path & prefix = "nix",
-    bool includePid = true, bool useGlobalCounter = true);
+    bool includePid = true, bool useGlobalCounter = true, mode_t mode = 0755);
 
 /* Create a directory and all its parents, if necessary.  Returns the
    list of created directories, in order of creation. */