aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--src/libstore/build.cc14
-rw-r--r--src/libstore/builtins.cc10
-rw-r--r--src/libstore/builtins.hh2
-rw-r--r--src/libutil/util.cc4
-rw-r--r--src/libutil/util.hh2
5 files changed, 25 insertions, 7 deletions
diff --git a/src/libstore/build.cc b/src/libstore/build.cc
index 1aee150fd..1ce23135f 100644
--- a/src/libstore/build.cc
+++ b/src/libstore/build.cc
@@ -2307,6 +2307,14 @@ void DerivationGoal::runChild()
bool setUser = true;
+ /* Make the contents of netrc available to builtin:fetchurl
+ (which may run under a different uid and/or in a sandbox). */
+ std::string netrcData;
+ try {
+ if (drv->isBuiltin() && drv->builder == "builtin:fetchurl")
+ netrcData = readFile(settings.netrcFile);
+ } catch (SysError &) { }
+
#if __linux__
if (useChroot) {
@@ -2675,7 +2683,7 @@ void DerivationGoal::runChild()
if (drv->isBuiltin()) {
try {
if (drv->builder == "builtin:fetchurl")
- builtinFetchurl(*drv);
+ builtinFetchurl(*drv, netrcData);
else
throw Error(format("unsupported builtin function ‘%1%’") % string(drv->builder, 8));
_exit(0);
@@ -3072,7 +3080,9 @@ void DerivationGoal::closeLogFile()
void DerivationGoal::deleteTmpDir(bool force)
{
if (tmpDir != "") {
- if (settings.keepFailed && !force) {
+ /* Don't keep temporary directories for builtins because they
+ might have privileged stuff (like a copy of netrc). */
+ if (settings.keepFailed && !force && !drv->isBuiltin()) {
printError(
format("note: keeping build directory ‘%2%’")
% drvPath % tmpDir);
diff --git a/src/libstore/builtins.cc b/src/libstore/builtins.cc
index a30f30906..c5dbd57f8 100644
--- a/src/libstore/builtins.cc
+++ b/src/libstore/builtins.cc
@@ -6,8 +6,16 @@
namespace nix {
-void builtinFetchurl(const BasicDerivation & drv)
+void builtinFetchurl(const BasicDerivation & drv, const std::string & netrcData)
{
+ /* Make the host's netrc data available. Too bad curl requires
+ this to be stored in a file. It would be nice if we could just
+ pass a pointer to the data. */
+ if (netrcData != "") {
+ settings.netrcFile = "netrc";
+ writeFile(settings.netrcFile, netrcData, 0600);
+ }
+
auto getAttr = [&](const string & name) {
auto i = drv.env.find(name);
if (i == drv.env.end()) throw Error(format("attribute ‘%s’ missing") % name);
diff --git a/src/libstore/builtins.hh b/src/libstore/builtins.hh
index 4b2431aa0..0cc6ba31f 100644
--- a/src/libstore/builtins.hh
+++ b/src/libstore/builtins.hh
@@ -4,6 +4,6 @@
namespace nix {
-void builtinFetchurl(const BasicDerivation & drv);
+void builtinFetchurl(const BasicDerivation & drv, const std::string & netrcData);
}
diff --git a/src/libutil/util.cc b/src/libutil/util.cc
index 336599368..0a5f796e4 100644
--- a/src/libutil/util.cc
+++ b/src/libutil/util.cc
@@ -288,9 +288,9 @@ string readFile(const Path & path, bool drain)
}
-void writeFile(const Path & path, const string & s)
+void writeFile(const Path & path, const string & s, mode_t mode)
{
- AutoCloseFD fd = open(path.c_str(), O_WRONLY | O_TRUNC | O_CREAT | O_CLOEXEC, 0666);
+ AutoCloseFD fd = open(path.c_str(), O_WRONLY | O_TRUNC | O_CREAT | O_CLOEXEC, mode);
if (!fd)
throw SysError(format("opening file ‘%1%’") % path);
writeFull(fd.get(), s);
diff --git a/src/libutil/util.hh b/src/libutil/util.hh
index cfaaf1486..2950f7daa 100644
--- a/src/libutil/util.hh
+++ b/src/libutil/util.hh
@@ -89,7 +89,7 @@ string readFile(int fd);
string readFile(const Path & path, bool drain = false);
/* Write a string to a file. */
-void writeFile(const Path & path, const string & s);
+void writeFile(const Path & path, const string & s, mode_t mode = 0666);
/* Read a line from a file descriptor. */
string readLine(int fd);