diff options
author | zimbatm <zimbatm@zimbatm.com> | 2015-12-10 16:01:04 +0000 |
---|---|---|
committer | zimbatm <zimbatm@zimbatm.com> | 2015-12-10 16:01:04 +0000 |
commit | 9b33ec1764c34d5e9d542f59ce932209941b64f1 (patch) | |
tree | 08d2a35be77eb829fd97093bd55e660b3c44ec0c /pkgs/build-support | |
parent | c3be340ae0b63dbd167dfe998d17944b7dd2d1ed (diff) | |
download | nixpkgs-9b33ec1764c34d5e9d542f59ce932209941b64f1.tar nixpkgs-9b33ec1764c34d5e9d542f59ce932209941b64f1.tar.gz nixpkgs-9b33ec1764c34d5e9d542f59ce932209941b64f1.tar.bz2 nixpkgs-9b33ec1764c34d5e9d542f59ce932209941b64f1.tar.lz nixpkgs-9b33ec1764c34d5e9d542f59ce932209941b64f1.tar.xz nixpkgs-9b33ec1764c34d5e9d542f59ce932209941b64f1.tar.zst nixpkgs-9b33ec1764c34d5e9d542f59ce932209941b64f1.zip |
build-fhs-userenv: don't leak file descriptors
This re-uses the capabilities documented in `Process.spawn` to avoid leaking unecessary file-descriptors to the sandbox
Diffstat (limited to 'pkgs/build-support')
-rwxr-xr-x | pkgs/build-support/build-fhs-userenv/chroot-user.rb | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/pkgs/build-support/build-fhs-userenv/chroot-user.rb b/pkgs/build-support/build-fhs-userenv/chroot-user.rb index 05b4914b6f6..97316ac4369 100755 --- a/pkgs/build-support/build-fhs-userenv/chroot-user.rb +++ b/pkgs/build-support/build-fhs-userenv/chroot-user.rb @@ -140,10 +140,10 @@ if $cpid == 0 link_swdir.call swdir, Pathname.new('') # New environment - ENV.replace(Hash[ envvars.map { |x| [x, ENV[x]] } ]) + new_env = Hash[ envvars.map { |x| [x, ENV[x]] } ] # Finally, exec! - exec *execp + exec(new_env, *execp, close_others: true, unsetenv_others: true) end # Wait for a child. If we catch a signal, resend it to child and continue |