Revert "Allow using /bin and /usr/bin as impure prefixes on non-darwin by default"

This reverts commit 79ca503332. Ouch, never noticed this. We definitely don't want to allow builds to have arbitrary access to /bin and /usr/bin, because then they can (for instance) bring in a bunch of setuid programs. Also, we shouldn't be encouraging the use of impurities in the default configuration.
2015-11-09 21:21:04 +01:00 · 2015-11-09 21:21:04 +01:00 · 96c2ebf004
parent 4384bbd2e1
commit 96c2ebf004
1 changed files with 1 additions and 1 deletions
--- a/src/libstore/build.cc
+++ b/src/libstore/build.cc
@ -62,7 +62,7 @@
    #define DEFAULT_ALLOWED_IMPURE_PREFIXES "/System/Library /usr/lib /dev /bin/sh"
 #else
    #define SANDBOX_ENABLED 0
-    #define DEFAULT_ALLOWED_IMPURE_PREFIXES "/bin" "/usr/bin"
+    #define DEFAULT_ALLOWED_IMPURE_PREFIXES ""
 #endif

 #if CHROOT_ENABLED