aboutsummaryrefslogtreecommitdiff
path: root/doc
diff options
context:
space:
mode:
authorEelco Dolstra <eelco.dolstra@logicblox.com>2015-02-23 14:41:53 +0100
committerEelco Dolstra <eelco.dolstra@logicblox.com>2015-02-23 15:54:31 +0100
commit15d2d3c34e454fb7795998a3a2d73010dfbdec38 (patch)
tree677224a9270e2f70112f58ab7adf8956c293e8fc /doc
parent47bdc52c1bf7bcec0ea1b685cf4c22b6b93be06d (diff)
Add restricted evaluation mode
If ‘--option restrict-eval true’ is given, the evaluator will throw an exception if an attempt is made to access any file outside of the Nix search path. This is primarily intended for Hydra, where we don't want people doing ‘builtins.readFile ~/.ssh/id_dsa’ or stuff like that.
Diffstat (limited to 'doc')
-rw-r--r--doc/manual/command-ref/conf-file.xml15
1 files changed, 15 insertions, 0 deletions
diff --git a/doc/manual/command-ref/conf-file.xml b/doc/manual/command-ref/conf-file.xml
index 1728abfd9..91aa910a2 100644
--- a/doc/manual/command-ref/conf-file.xml
+++ b/doc/manual/command-ref/conf-file.xml
@@ -539,6 +539,21 @@ flag, e.g. <literal>--option gc-keep-outputs false</literal>.</para>
</varlistentry>
+ <varlistentry xml:id="conf-restrict-eval"><term><literal>restrict-eval</literal></term>
+
+ <listitem>
+
+ <para>If set to <literal>true</literal>, the Nix evaluator will
+ not allow access to any files outside of the Nix search path (as
+ set via the <envar>NIX_PATH</envar> environment variable or the
+ <option>-I</option> option). The default is
+ <literal>false</literal>.</para>
+
+ </listitem>
+
+ </varlistentry>
+
+
</variablelist>
</para>