diff options
| author | Eelco Dolstra <edolstra@gmail.com> | 2023-06-30 13:13:42 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-06-30 13:13:42 +0200 |
| commit | a0c617348b636d4a6f239450a61e029719e2c832 (patch) | |
| tree | 295694766b2ce599f3a8b5c22830bf5004472963 | |
| parent | 1632f08ea2fd6628e2c0cf729ba5269153b3007c (diff) | |
| parent | 80c9259756811c1165167db1bb66c1fef0accb65 (diff) | |
Merge pull request #8589 from jfroche/sign-paths-as-allowed-user
Allow to sign path as unprivileged user
| -rw-r--r-- | doc/manual/src/release-notes/rl-next.md | 3 | ||||
| -rw-r--r-- | src/libstore/daemon.cc | 2 | ||||
| -rw-r--r-- | tests/nixos/authorization.nix | 15 |
3 files changed, 18 insertions, 2 deletions
diff --git a/doc/manual/src/release-notes/rl-next.md b/doc/manual/src/release-notes/rl-next.md index bde9057c6..8479b166a 100644 --- a/doc/manual/src/release-notes/rl-next.md +++ b/doc/manual/src/release-notes/rl-next.md @@ -1,3 +1,6 @@ # Release X.Y (202?-??-??) - [`nix-channel`](../command-ref/nix-channel.md) now supports a `--list-generations` subcommand + +- Nix now allows unprivileged/[`allowed-users`](../command-ref/conf-file.md#conf-allowed-users) to sign paths. + Previously, only [`trusted-users`](../command-ref/conf-file.md#conf-trusted-users) users could sign paths. diff --git a/src/libstore/daemon.cc b/src/libstore/daemon.cc index 75c3d2aca..ad3dee1a2 100644 --- a/src/libstore/daemon.cc +++ b/src/libstore/daemon.cc @@ -864,8 +864,6 @@ static void performOp(TunnelLogger * logger, ref<Store> store, auto path = store->parseStorePath(readString(from)); StringSet sigs = readStrings<StringSet>(from); logger->startWork(); - if (!trusted) - throw Error("you are not privileged to add signatures"); store->addSignatures(path, sigs); logger->stopWork(); to << 1; diff --git a/tests/nixos/authorization.nix b/tests/nixos/authorization.nix index 7e8744dd9..fdeae06ed 100644 --- a/tests/nixos/authorization.nix +++ b/tests/nixos/authorization.nix @@ -75,5 +75,20 @@ su --login bob -c '(! nix-store --verify --repair 2>&1)' | tee diag 1>&2 grep -F "you are not privileged to repair paths" diag """) + + machine.succeed(""" + set -x + su --login mallory -c ' + nix-store --generate-binary-cache-key cache1.example.org sk1 pk1 + (! nix store sign --key-file sk1 ${pathFour} 2>&1)' | tee diag 1>&2 + grep -F "cannot open connection to remote store 'daemon'" diag + """) + + machine.succeed(""" + su --login bob -c ' + nix-store --generate-binary-cache-key cache1.example.org sk1 pk1 + nix store sign --key-file sk1 ${pathFour} + ' + """) ''; } |