From 224d0d530241a666fc6d929019e07098230bd24e Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <eelco.dolstra@logicblox.com>
Date: Thu, 8 Jan 2015 16:57:34 +0100
Subject: [PATCH] Set stricter permissions on /nix/store

The nixbld group doesn't need read permission, it only needs write and
execute permission.

(cherry picked from commit 066758758e7c0768ff8da51d208cdae0f33b368c)
---
 nixos/modules/installer/tools/nixos-install.sh | 2 +-
 nixos/modules/system/boot/stage-2-init.sh      | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/nixos/modules/installer/tools/nixos-install.sh b/nixos/modules/installer/tools/nixos-install.sh
index bfb42d40b06ea16..8f3de10c6133dd6 100644
--- a/nixos/modules/installer/tools/nixos-install.sh
+++ b/nixos/modules/installer/tools/nixos-install.sh
@@ -128,7 +128,7 @@ mkdir -m 0755 -p \
     $mountPoint/nix/var/nix/db \
     $mountPoint/nix/var/log/nix/drvs
 
-mkdir -m 1775 -p $mountPoint/nix/store
+mkdir -m 1735 -p $mountPoint/nix/store
 chown root:nixbld $mountPoint/nix/store
 
 
diff --git a/nixos/modules/system/boot/stage-2-init.sh b/nixos/modules/system/boot/stage-2-init.sh
index 173453a17f71f20..42148957be4075f 100644
--- a/nixos/modules/system/boot/stage-2-init.sh
+++ b/nixos/modules/system/boot/stage-2-init.sh
@@ -53,7 +53,7 @@ echo "booting system configuration $systemConfig" > /dev/kmsg
 # Silence chown/chmod to fail gracefully on a readonly filesystem
 # like squashfs.
 chown -f 0:30000 /nix/store
-chmod -f 1775 /nix/store
+chmod -f 1735 /nix/store
 if [ -n "@readOnlyStore@" ]; then
     if ! readonly-mountpoint /nix/store; then
         mount --bind /nix/store /nix/store