Nix leaks fds to the builders #7
Description
I imagine this is an important security threat.
Any builder process child I see, has these 3, 4 and 8 fds opened that look like coming from nix.
I've seen the 255 only in the 'bash' one. This example is building a sqlite expression using the worker.
lrwx------ 1 nixbld2 nixbld 64 14 abr 23:19 0 -> /nix/store/r1y7d0phrmz3dpm4ffhl92cr8pc433bl-sqlite-3.7.9-full.drv.chroot/dev/null
l-wx------ 1 nixbld2 nixbld 64 14 abr 23:19 1 -> pipe:[118866]
l-wx------ 1 nixbld2 nixbld 64 14 abr 23:19 2 -> pipe:[118866]
lr-x------ 1 nixbld2 nixbld 64 14 abr 23:19 255 -> /nix/store/r1y7d0phrmz3dpm4ffhl92cr8pc433bl-sqlite-3.7.9-full.drv.chroot/nix/store/9krlzvny65gdc8s7kpb6lkx8cd02c25b-default-builder.sh
lrwx------ 1 nixbld2 nixbld 64 14 abr 23:19 3 -> socket:[7864]
lrwx------ 1 nixbld2 nixbld 64 14 abr 23:19 4 -> socket:[118851]
lrwx------ 1 nixbld2 nixbld 64 14 abr 23:19 8 -> /nix/var/nix/db/db.sqlite-shm