* Fix nix-prefetch-url in setuid Nix installations.

1 files changed, 20 insertions, 9 deletions

diff --git a/scripts/nix-prefetch-url.in b/scripts/nix-prefetch-url.in
index 45b3ed7ee..8fc82c11b 100644
--- a/scripts/nix-prefetch-url.in
+++ b/scripts/nix-prefetch-url.in
@@ -7,9 +7,18 @@ if test -z "$url"; then
     exit 1
 fi
 
-# !!! race? should be relatively safe, `svn export' barfs if $tmpPath exists.
+# !!! race
 tmpPath1=@storedir@/nix-prefetch-url-$$
 
+# Test whether we have write permission in the store.  If not, fetch
+# to /tmp and don't copy to the store.  This is a hack to make this
+# script at least work somewhat in setuid installations.
+if ! touch $tmpPath1 2> /dev/null; then
+    echo "(cannot write to the store, result won't be cached)" >&2
+    dummyMode=1
+    tmpPath1=/tmp/nix-prefetch-url-$$ # !!! security?
+fi
+
 # Perform the checkout.
 @curl@ --fail --location --max-redirs 20 "$url" > $tmpPath1
 
@@ -17,22 +26,24 @@ tmpPath1=@storedir@/nix-prefetch-url-$$
 hash=$(@bindir@/nix-hash --flat $tmpPath1)
 echo "hash is $hash" >&2
 
-# Rename it so that the fetchsvn builder can find it.
-tmpPath2=@storedir@/nix-prefetch-url-$hash
-test -e $tmpPath2 || mv $tmpPath1 $tmpPath2 # !!! race
+# Rename it so that the fetchurl builder can find it.
+if test "$dummyMode" != 1; then
+    tmpPath2=@storedir@/nix-prefetch-url-$hash
+    test -e $tmpPath2 || mv $tmpPath1 $tmpPath2 # !!! race
+fi
 
-# Create a Nix expression that does a fetchsvn.
+# Create a Nix expression that does a fetchurl.
 storeExpr=$( \
-  echo "(import @datadir@/nix/corepkgs/fetchurl) \
+    echo "(import @datadir@/nix/corepkgs/fetchurl) \
         {url = $url; md5 = \"$hash\"; system = \"@system@\";}" \
-  | @bindir@/nix-instantiate -)
+    | @bindir@/nix-instantiate -)
 
 # Realise it.
 finalPath=$(@bindir@/nix-store -qnB --force-realise $storeExpr)
-
+    
 echo "path is $finalPath" >&2
 
-rm -rf $tmpPath2 || true
+rm -rf $tmpPath1 $tmpPath2 || true
 
 echo $hash