From 79ca5033329053caa364bb2f7e50953f859cc97f Mon Sep 17 00:00:00 2001 From: Shea Levy Date: Tue, 13 Jan 2015 09:40:11 -0500 Subject: [PATCH] Allow using /bin and /usr/bin as impure prefixes on non-darwin by default These directories are generally world-readable anyway, and give us the two most common linux impurities (env and sh) --- src/libstore/build.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/libstore/build.cc b/src/libstore/build.cc index 575777c8a..5285d39df 100644 --- a/src/libstore/build.cc +++ b/src/libstore/build.cc @@ -56,7 +56,7 @@ #define DEFAULT_ALLOWED_IMPURE_PREFIXES "/System/Library/Frameworks /usr/lib /dev /bin/sh" #else #define SANDBOX_ENABLED 0 - #define DEFAULT_ALLOWED_IMPURE_PREFIXES "" + #define DEFAULT_ALLOWED_IMPURE_PREFIXES "/bin" "/usr/bin" #endif #if CHROOT_ENABLED