aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--corepkgs/fetchurl.nix7
-rw-r--r--doc/dev/release-procedures.txt33
-rw-r--r--doc/manual/builtins.xml12
-rw-r--r--doc/manual/opt-common.xml9
-rw-r--r--doc/manual/release-notes.xml57
-rw-r--r--perl/lib/Nix/Store.xs21
-rwxr-xr-xscripts/build-remote.pl.in5
-rw-r--r--src/libexpr/eval.cc2
-rw-r--r--src/libexpr/nixexpr.hh4
-rw-r--r--src/libexpr/parser.y6
-rw-r--r--src/libexpr/primops.cc16
-rw-r--r--src/libmain/shared.cc7
-rw-r--r--src/libstore/build.cc18
-rw-r--r--src/libstore/gc.cc5
-rw-r--r--src/libstore/globals.cc9
-rw-r--r--src/libstore/globals.hh3
-rw-r--r--src/libstore/local-store.cc116
-rw-r--r--src/libstore/local-store.hh4
-rw-r--r--src/libstore/optimise-store.cc2
-rw-r--r--src/libstore/remote-store.cc2
-rw-r--r--src/libstore/worker-protocol.hh8
-rw-r--r--src/nix-daemon/nix-daemon.cc2
-rw-r--r--src/nix-store/nix-store.cc77
-rw-r--r--substitute.mk3
-rw-r--r--tests/nix-copy-closure.nix8
-rw-r--r--tests/remote-builds.nix4
-rw-r--r--version2
27 files changed, 277 insertions, 165 deletions
diff --git a/corepkgs/fetchurl.nix b/corepkgs/fetchurl.nix
index 4a0ae8279..39b9dd508 100644
--- a/corepkgs/fetchurl.nix
+++ b/corepkgs/fetchurl.nix
@@ -1,6 +1,6 @@
with import <nix/config.nix>;
-{system ? builtins.currentSystem, url, outputHash ? "", outputHashAlgo ? "", md5 ? "", sha1 ? "", sha256 ? ""}:
+{system ? builtins.currentSystem, url, outputHash ? "", outputHashAlgo ? "", md5 ? "", sha1 ? "", sha256 ? "", executable ? false}:
assert (outputHash != "" && outputHashAlgo != "")
|| md5 != "" || sha1 != "" || sha256 != "";
@@ -8,10 +8,10 @@ assert (outputHash != "" && outputHashAlgo != "")
let
builder = builtins.toFile "fetchurl.sh"
- ''
+ (''
echo "downloading $url into $out"
${curl} --fail --location --max-redirs 20 --insecure "$url" > "$out"
- '';
+ '' + (if executable then "${coreutils}/chmod +x $out" else ""));
in
@@ -25,6 +25,7 @@ derivation {
if sha256 != "" then "sha256" else if sha1 != "" then "sha1" else "md5";
outputHash = if outputHash != "" then outputHash else
if sha256 != "" then sha256 else if sha1 != "" then sha1 else md5;
+ outputHashMode = if executable then "recursive" else "flat";
inherit system url;
diff --git a/doc/dev/release-procedures.txt b/doc/dev/release-procedures.txt
deleted file mode 100644
index 1e95a9ee9..000000000
--- a/doc/dev/release-procedures.txt
+++ /dev/null
@@ -1,33 +0,0 @@
-To produce a `stable' release from the trunk:
-
--1. Update the release notes; make sure that the release date is
- correct.
-
-0. Make sure that the trunk builds in the release supervisor.
-
-1. Branch the trunk, e.g., `svn cp .../trunk
- .../branches/0.5-release'.
-
-2. Switch to the branch, e.g., `svn switch .../branches/0.5-release'.
-
-3. In `configure.ac', change `STABLE=0' into `STABLE=1' and commit.
-
-4. In the release supervisor, add a one-time job to build
- `.../branches/0.5-release'.
-
-5. Make sure that the release succeeds.
-
-6. Move the branch to a tag, e.g., `svn mv .../branches/0.5-release
- .../tags/0.5'.
-
- Note that the branch should not be used for maintenance; it should
- be deleted after the release has been created. A maintenance
- branch (e.g., `.../branches/0.5') should be created from the
- original revision of the trunk (since maintenance releases should
- also be tested first; hence, we cannot have `STABLE=1'). The same
- procedure can then be followed to produce maintenance releases;
- just substitute `.../branches/VERSION' for the trunk.
-
-7. Switch back to the trunk.
-
-8. Bump the version number in `configure.ac' (in AC_INIT).
diff --git a/doc/manual/builtins.xml b/doc/manual/builtins.xml
index 9f5f4438c..b75f58e21 100644
--- a/doc/manual/builtins.xml
+++ b/doc/manual/builtins.xml
@@ -302,6 +302,18 @@ stdenv.mkDerivation {
</varlistentry>
+ <varlistentry><term><function>builtins.hashString</function>
+ <replaceable>type</replaceable> <replaceable>s</replaceable></term>
+
+ <listitem><para>Return a base-16 representation of the
+ cryptographic hash of string <replaceable>s</replaceable>. The
+ hash algorithm specified by <replaceable>type</replaceable> must
+ be one of <literal>"md5"</literal>, <literal>"sha1"</literal> or
+ <literal>"sha256"</literal>.</para></listitem>
+
+ </varlistentry>
+
+
<varlistentry><term><function>builtins.head</function>
<replaceable>list</replaceable></term>
diff --git a/doc/manual/opt-common.xml b/doc/manual/opt-common.xml
index 72971bd6a..329345773 100644
--- a/doc/manual/opt-common.xml
+++ b/doc/manual/opt-common.xml
@@ -343,10 +343,11 @@
<varlistentry><term><option>-I</option> <replaceable>path</replaceable></term>
- <listitem><para>Add a path to the Nix expression search path. See
- the <envar>NIX_PATH</envar> environment variable for details. Paths
- added through <option>-I</option> take precedence over
- <envar>NIX_PATH</envar>.</para></listitem>
+ <listitem><para>Add a path to the Nix expression search path. This
+ option may be given multiple times. See the <envar>NIX_PATH</envar>
+ environment variable for information on the semantics of the Nix
+ search path. Paths added through <option>-I</option> take
+ precedence over <envar>NIX_PATH</envar>.</para></listitem>
</varlistentry>
diff --git a/doc/manual/release-notes.xml b/doc/manual/release-notes.xml
index e7e9bf3c5..a078be83d 100644
--- a/doc/manual/release-notes.xml
+++ b/doc/manual/release-notes.xml
@@ -8,6 +8,63 @@
<!--==================================================================-->
+<section xml:id="ssec-relnotes-1.5.1"><title>Release 1.5.1 (February 28, 2013)</title>
+
+<para>The bug fix to the bug fix had a bug itself, of course. But
+this time it will work for sure!</para>
+
+</section>
+
+
+<!--==================================================================-->
+
+<section xml:id="ssec-relnotes-1.5"><title>Release 1.5 (February 27, 2013)</title>
+
+<para>This is a brown paper bag release to fix a regression introduced
+by the hard link security fix in 1.4.</para>
+
+</section>
+
+
+<!--==================================================================-->
+
+<section xml:id="ssec-relnotes-1.4"><title>Release 1.4 (February 26, 2013)</title>
+
+<para>This release fixes a security bug in multi-user operation. It
+was possible for derivations to cause the mode of files outside of the
+Nix store to be changed to 444 (read-only but world-readable) by
+creating hard links to those files (<link
+xlink:href="https://github.com/NixOS/nix/commit/5526a282b5b44e9296e61e07d7d2626a79141ac4">details</link>).</para>
+
+<para>There are also the following improvements:</para>
+
+<itemizedlist>
+
+ <listitem><para>New built-in function:
+ <function>builtins.hashString</function>.</para></listitem>
+
+ <listitem><para>Build logs are now stored in
+ <filename>/nix/var/log/nix/drvs/<replaceable>XX</replaceable>/</filename>,
+ where <replaceable>XX</replaceable> is the first two characters of
+ the derivation. This is useful on machines that keep a lot of build
+ logs (such as Hydra servers).</para></listitem>
+
+ <listitem><para>The function <function>corepkgs/fetchurl</function>
+ can now make the downloaded file executable. This will allow
+ getting rid of all bootstrap binaries in the Nixpkgs source
+ tree.</para></listitem>
+
+ <listitem><para>Language change: The expression <literal>"${./path}
+ ..."</literal> now evaluates to a string instead of a
+ path.</para></listitem>
+
+</itemizedlist>
+
+</section>
+
+
+<!--==================================================================-->
+
<section xml:id="ssec-relnotes-1.3"><title>Release 1.3 (January 4, 2013)</title>
<para>This is primarily a bug fix release. When this version is first
diff --git a/perl/lib/Nix/Store.xs b/perl/lib/Nix/Store.xs
index 00311aa8f..8154bcbb0 100644
--- a/perl/lib/Nix/Store.xs
+++ b/perl/lib/Nix/Store.xs
@@ -15,7 +15,7 @@
using namespace nix;
-void doInit()
+void doInit()
{
if (!store) {
try {
@@ -237,32 +237,35 @@ SV * derivationFromPath(char * drvPath)
doInit();
Derivation drv = derivationFromPath(*store, drvPath);
hash = newHV();
-
- /* TODO: handle drv.outputs */
-
+
+ HV * outputs = newHV();
+ for (DerivationOutputs::iterator i = drv.outputs.begin(); i != drv.outputs.end(); ++i)
+ hv_store(outputs, i->first.c_str(), i->first.size(), newSVpv(i->second.path.c_str(), 0), 0);
+ hv_stores(hash, "outputs", newRV((SV *) outputs));
+
AV * inputDrvs = newAV();
for (DerivationInputs::iterator i = drv.inputDrvs.begin(); i != drv.inputDrvs.end(); ++i)
av_push(inputDrvs, newSVpv(i->first.c_str(), 0)); // !!! ignores i->second
hv_stores(hash, "inputDrvs", newRV((SV *) inputDrvs));
-
+
AV * inputSrcs = newAV();
for (PathSet::iterator i = drv.inputSrcs.begin(); i != drv.inputSrcs.end(); ++i)
av_push(inputSrcs, newSVpv(i->c_str(), 0));
hv_stores(hash, "inputSrcs", newRV((SV *) inputSrcs));
-
+
hv_stores(hash, "platform", newSVpv(drv.platform.c_str(), 0));
hv_stores(hash, "builder", newSVpv(drv.builder.c_str(), 0));
-
+
AV * args = newAV();
for (Strings::iterator i = drv.args.begin(); i != drv.args.end(); ++i)
av_push(args, newSVpv(i->c_str(), 0));
hv_stores(hash, "args", newRV((SV *) args));
-
+
HV * env = newHV();
for (StringPairs::iterator i = drv.env.begin(); i != drv.env.end(); ++i)
hv_store(env, i->first.c_str(), i->first.size(), newSVpv(i->second.c_str(), 0), 0);
hv_stores(hash, "env", newRV((SV *) env));
-
+
RETVAL = newRV_noinc((SV *)hash);
} catch (Error & e) {
croak(e.what());
diff --git a/scripts/build-remote.pl.in b/scripts/build-remote.pl.in
index 458d31be9..dddd9e959 100755
--- a/scripts/build-remote.pl.in
+++ b/scripts/build-remote.pl.in
@@ -258,8 +258,9 @@ close UPLOADLOCK;
# Perform the build.
my $buildFlags =
- "--max-silent-time $maxSilentTime --option build-timeout $buildTimeout "
- . "--fallback --add-root $rootsDir/\$PPID.out --option verbosity 0";
+ "--max-silent-time $maxSilentTime --option build-timeout $buildTimeout"
+ . " --fallback --add-root $rootsDir/\$PPID.out --quiet"
+ . " --option build-keep-log false";
# We let the remote side kill its process group when the connection is
# closed unexpectedly. This is necessary to ensure that no processes
diff --git a/src/libexpr/eval.cc b/src/libexpr/eval.cc
index 676dd3ac4..a1613a420 100644
--- a/src/libexpr/eval.cc
+++ b/src/libexpr/eval.cc
@@ -966,7 +966,7 @@ void ExprConcatStrings::eval(EvalState & state, Env & env, Value & v)
since paths are copied when they are used in a derivation),
and none of the strings are allowed to have contexts. */
if (first) {
- isPath = vStr.type == tPath;
+ isPath = !forceString && vStr.type == tPath;
first = false;
}
diff --git a/src/libexpr/nixexpr.hh b/src/libexpr/nixexpr.hh
index bc6c3287c..86a7bfd50 100644
--- a/src/libexpr/nixexpr.hh
+++ b/src/libexpr/nixexpr.hh
@@ -277,8 +277,10 @@ MakeBinOp(OpConcatLists, "++")
struct ExprConcatStrings : Expr
{
+ bool forceString;
vector<Expr *> * es;
- ExprConcatStrings(vector<Expr *> * es) : es(es) { };
+ ExprConcatStrings(bool forceString, vector<Expr *> * es)
+ : forceString(forceString), es(es) { };
COMMON_METHODS
};
diff --git a/src/libexpr/parser.y b/src/libexpr/parser.y
index 1819da5e1..66edfb548 100644
--- a/src/libexpr/parser.y
+++ b/src/libexpr/parser.y
@@ -203,7 +203,7 @@ static Expr * stripIndentation(SymbolTable & symbols, vector<Expr *> & es)
es2->push_back(new ExprString(symbols.create(s2)));
}
- return es2->size() == 1 ? (*es2)[0] : new ExprConcatStrings(es2);
+ return es2->size() == 1 ? (*es2)[0] : new ExprConcatStrings(true, es2);
}
@@ -318,7 +318,7 @@ expr_op
{ vector<Expr *> * l = new vector<Expr *>;
l->push_back($1);
l->push_back($3);
- $$ = new ExprConcatStrings(l);
+ $$ = new ExprConcatStrings(false, l);
}
| expr_op CONCAT expr_op { $$ = new ExprOpConcatLists($1, $3); }
| expr_app
@@ -349,7 +349,7 @@ expr_simple
/* For efficiency, and to simplify parse trees a bit. */
if ($2->empty()) $$ = new ExprString(data->symbols.create(""));
else if ($2->size() == 1) $$ = $2->front();
- else $$ = new ExprConcatStrings($2);
+ else $$ = new ExprConcatStrings(true, $2);
}
| IND_STRING_OPEN ind_string_parts IND_STRING_CLOSE {
$$ = stripIndentation(data->symbols, *$2);
diff --git a/src/libexpr/primops.cc b/src/libexpr/primops.cc
index f8f893d69..f66b24b77 100644
--- a/src/libexpr/primops.cc
+++ b/src/libexpr/primops.cc
@@ -1107,6 +1107,21 @@ static void prim_unsafeDiscardOutputDependency(EvalState & state, Value * * args
}
+/* Return the cryptographic hash of a string in base-16. */
+static void prim_hashString(EvalState & state, Value * * args, Value & v)
+{
+ string type = state.forceStringNoCtx(*args[0]);
+ HashType ht = parseHashType(type);
+ if (ht == htUnknown)
+ throw Error(format("unknown hash type `%1%'") % type);
+
+ PathSet context; // discarded
+ string s = state.forceString(*args[1], context);
+
+ mkString(v, printHash(hashString(ht, s)), context);
+};
+
+
/*************************************************************
* Versions
*************************************************************/
@@ -1234,6 +1249,7 @@ void EvalState::createBaseEnv()
addPrimOp("__stringLength", 1, prim_stringLength);
addPrimOp("__unsafeDiscardStringContext", 1, prim_unsafeDiscardStringContext);
addPrimOp("__unsafeDiscardOutputDependency", 1, prim_unsafeDiscardOutputDependency);
+ addPrimOp("__hashString", 2, prim_hashString);
// Versions
addPrimOp("__parseDrvName", 1, prim_parseDrvName);
diff --git a/src/libmain/shared.cc b/src/libmain/shared.cc
index e869ef037..4796629dc 100644
--- a/src/libmain/shared.cc
+++ b/src/libmain/shared.cc
@@ -168,11 +168,10 @@ static void initAndRun(int argc, char * * argv)
remaining.clear();
/* Process default options. */
- int verbosityDelta = lvlInfo;
for (Strings::iterator i = args.begin(); i != args.end(); ++i) {
string arg = *i;
- if (arg == "--verbose" || arg == "-v") verbosityDelta++;
- else if (arg == "--quiet") verbosityDelta--;
+ if (arg == "--verbose" || arg == "-v") verbosity = (Verbosity) (verbosity + 1);
+ else if (arg == "--quiet") verbosity = verbosity > lvlError ? (Verbosity) (verbosity - 1) : lvlError;
else if (arg == "--log-type") {
string s = getArg(arg, i, args.end());
setLogType(s);
@@ -219,8 +218,6 @@ static void initAndRun(int argc, char * * argv)
else remaining.push_back(arg);
}
- verbosity = (Verbosity) (verbosityDelta < 0 ? 0 : verbosityDelta);
-
settings.update();
run(remaining);
diff --git a/src/libstore/build.cc b/src/libstore/build.cc
index 75802c324..73223bc1a 100644
--- a/src/libstore/build.cc
+++ b/src/libstore/build.cc
@@ -43,6 +43,12 @@
#include <sched.h>
#endif
+/* In GNU libc 2.11, <sys/mount.h> does not define `MS_PRIVATE', but
+ <linux/fs.h> does. */
+#if !defined MS_PRIVATE && defined HAVE_LINUX_FS_H
+#include <linux/fs.h>
+#endif
+
#define CHROOT_ENABLED HAVE_CHROOT && HAVE_UNSHARE && HAVE_SYS_MOUNT_H && defined(MS_BIND) && defined(MS_PRIVATE) && defined(CLONE_NEWNS)
#if CHROOT_ENABLED
@@ -2281,7 +2287,7 @@ void DerivationGoal::computeClosure()
}
/* Get rid of all weird permissions. */
- canonicalisePathMetaData(path);
+ canonicalisePathMetaData(path, buildUser.enabled() ? buildUser.getUID() : -1);
/* For this output path, find the references to other paths
contained in it. Compute the SHA-256 NAR hash at the same
@@ -2343,13 +2349,15 @@ Path DerivationGoal::openLogFile()
{
if (!settings.keepLog) return "";
+ string baseName = baseNameOf(drvPath);
+
/* Create a log file. */
- Path dir = (format("%1%/%2%") % settings.nixLogDir % drvsLogDir).str();
+ Path dir = (format("%1%/%2%/%3%/") % settings.nixLogDir % drvsLogDir % string(baseName, 0, 2)).str();
createDirs(dir);
if (settings.compressLog) {
- Path logFileName = (format("%1%/%2%.bz2") % dir % baseNameOf(drvPath)).str();
+ Path logFileName = (format("%1%/%2%.bz2") % dir % string(baseName, 2)).str();
AutoCloseFD fd = open(logFileName.c_str(), O_CREAT | O_WRONLY | O_TRUNC, 0666);
if (fd == -1) throw SysError(format("creating log file `%1%'") % logFileName);
closeOnExec(fd);
@@ -2364,7 +2372,7 @@ Path DerivationGoal::openLogFile()
return logFileName;
} else {
- Path logFileName = (format("%1%/%2%") % dir % baseNameOf(drvPath)).str();
+ Path logFileName = (format("%1%/%2%") % dir % string(baseName, 2)).str();
fdLogFile = open(logFileName.c_str(), O_CREAT | O_WRONLY | O_TRUNC, 0666);
if (fdLogFile == -1) throw SysError(format("creating log file `%1%'") % logFileName);
closeOnExec(fdLogFile);
@@ -2831,7 +2839,7 @@ void SubstitutionGoal::finished()
return;
}
- canonicalisePathMetaData(destPath);
+ canonicalisePathMetaData(destPath, -1);
worker.store.optimisePath(destPath); // FIXME: combine with hashPath()
diff --git a/src/libstore/gc.cc b/src/libstore/gc.cc
index a6b1a35e7..113a7da15 100644
--- a/src/libstore/gc.cc
+++ b/src/libstore/gc.cc
@@ -659,7 +659,10 @@ void LocalStore::collectGarbage(const GCOptions & options, GCResults & results)
increase, since we hold locks on everything. So everything
that is not reachable from `roots'. */
- if (state.shouldDelete) createDirs(state.trashDir);
+ if (state.shouldDelete) {
+ if (pathExists(state.trashDir)) deleteGarbage(state, state.trashDir);
+ createDirs(state.trashDir);
+ }
/* Now either delete all garbage paths, or just the specified
paths (for gcDeleteSpecific). */
diff --git a/src/libstore/globals.cc b/src/libstore/globals.cc
index 596d4774c..b5a2a20be 100644
--- a/src/libstore/globals.cc
+++ b/src/libstore/globals.cc
@@ -10,6 +10,14 @@
namespace nix {
+/* The default location of the daemon socket, relative to nixStateDir.
+ The socket is in a directory to allow you to control access to the
+ Nix daemon by setting the mode/ownership of the directory
+ appropriately. (This wouldn't work on the socket itself since it
+ must be deleted and recreated on startup.) */
+#define DEFAULT_SOCKET_PATH "/daemon-socket/socket"
+
+
Settings settings;
@@ -58,6 +66,7 @@ void Settings::processEnvironment()
nixConfDir = canonPath(getEnv("NIX_CONF_DIR", NIX_CONF_DIR));
nixLibexecDir = canonPath(getEnv("NIX_LIBEXEC_DIR", NIX_LIBEXEC_DIR));
nixBinDir = canonPath(getEnv("NIX_BIN_DIR", NIX_BIN_DIR));
+ nixDaemonSocketFile = canonPath(nixStateDir + DEFAULT_SOCKET_PATH);
string subs = getEnv("NIX_SUBSTITUTERS", "default");
if (subs == "default") {
diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh
index be287698c..f129d9a11 100644
--- a/src/libstore/globals.hh
+++ b/src/libstore/globals.hh
@@ -50,6 +50,9 @@ struct Settings {
/* The directory where the main programs are stored. */
Path nixBinDir;
+ /* File name of the socket the daemon listens to. */
+ Path nixDaemonSocketFile;
+
/* Whether to keep temporary directories of failed builds. */
bool keepFailed;
diff --git a/src/libstore/local-store.cc b/src/libstore/local-store.cc
index 333feb2a5..4b8203efe 100644
--- a/src/libstore/local-store.cc
+++ b/src/libstore/local-store.cc
@@ -47,7 +47,11 @@ static void throwSQLiteError(sqlite3 * db, const format & f)
{
int err = sqlite3_errcode(db);
if (err == SQLITE_BUSY) {
- printMsg(lvlError, "warning: SQLite database is busy");
+ static bool warned = false;
+ if (!warned) {
+ printMsg(lvlError, "warning: SQLite database is busy");
+ warned = true;
+ }
/* Sleep for a while since retrying the transaction right away
is likely to fail again. */
#if HAVE_NANOSLEEP
@@ -461,36 +465,8 @@ void LocalStore::makeStoreWritable()
const time_t mtimeStore = 1; /* 1 second into the epoch */
-void canonicalisePathMetaData(const Path & path, bool recurse)
+static void canonicaliseTimestampAndPermissions(const Path & path, const struct stat & st)
{
- checkInterrupt();
-
- struct stat st;
- if (lstat(path.c_str(), &st))
- throw SysError(format("getting attributes of path `%1%'") % path);
-
- /* Really make sure that the path is of a supported type. This
- has already been checked in dumpPath(). */
- assert(S_ISREG(st.st_mode) || S_ISDIR(st.st_mode) || S_ISLNK(st.st_mode));
-
- /* Change ownership to the current uid. If it's a symlink, use
- lchown if available, otherwise don't bother. Wrong ownership
- of a symlink doesn't matter, since the owning user can't change
- the symlink and can't delete it because the directory is not
- writable. The only exception is top-level paths in the Nix
- store (since that directory is group-writable for the Nix build
- users group); we check for this case below. */
- if (st.st_uid != geteuid()) {
-#if HAVE_LCHOWN
- if (lchown(path.c_str(), geteuid(), (gid_t) -1) == -1)
-#else
- if (!S_ISLNK(st.st_mode) &&
- chown(path.c_str(), geteuid(), (gid_t) -1) == -1)
-#endif
- throw SysError(format("changing owner of `%1%' to %2%")
- % path % geteuid());
- }
-
if (!S_ISLNK(st.st_mode)) {
/* Mask out all type related bits. */
@@ -521,18 +497,84 @@ void canonicalisePathMetaData(const Path & path, bool recurse)
#endif
throw SysError(format("changing modification time of `%1%'") % path);
}
+}
+
+
+void canonicaliseTimestampAndPermissions(const Path & path)
+{
+ struct stat st;
+ if (lstat(path.c_str(), &st))
+ throw SysError(format("getting attributes of path `%1%'") % path);
+ canonicaliseTimestampAndPermissions(path, st);
+}
+
+
+typedef std::pair<dev_t, ino_t> Inode;
+typedef set<Inode> InodesSeen;
- if (recurse && S_ISDIR(st.st_mode)) {
+
+static void canonicalisePathMetaData_(const Path & path, uid_t fromUid, InodesSeen & inodesSeen)
+{
+ checkInterrupt();
+
+ struct stat st;
+ if (lstat(path.c_str(), &st))
+ throw SysError(format("getting attributes of path `%1%'") % path);
+
+ /* Really make sure that the path is of a supported type. This
+ has already been checked in dumpPath(). */
+ assert(S_ISREG(st.st_mode) || S_ISDIR(st.st_mode) || S_ISLNK(st.st_mode));
+
+ /* Fail if the file is not owned by the build user. This prevents
+ us from messing up the ownership/permissions of files
+ hard-linked into the output (e.g. "ln /etc/shadow $out/foo").
+ However, ignore files that we chown'ed ourselves previously to
+ ensure that we don't fail on hard links within the same build
+ (i.e. "touch $out/foo; ln $out/foo $out/bar"). */
+ if (fromUid != (uid_t) -1 && st.st_uid != fromUid) {
+ assert(!S_ISDIR(st.st_mode));
+ if (inodesSeen.find(Inode(st.st_dev, st.st_ino)) == inodesSeen.end())
+ throw BuildError(format("invalid ownership on file `%1%'") % path);
+ mode_t mode = st.st_mode & ~S_IFMT;
+ assert(S_ISLNK(st.st_mode) || (st.st_uid == geteuid() && (mode == 0444 || mode == 0555) && st.st_mtime == mtimeStore));
+ return;
+ }
+
+ inodesSeen.insert(Inode(st.st_dev, st.st_ino));
+
+ canonicaliseTimestampAndPermissions(path, st);
+
+ /* Change ownership to the current uid. If it's a symlink, use
+ lchown if available, otherwise don't bother. Wrong ownership
+ of a symlink doesn't matter, since the owning user can't change
+ the symlink and can't delete it because the directory is not
+ writable. The only exception is top-level paths in the Nix
+ store (since that directory is group-writable for the Nix build
+ users group); we check for this case below. */
+ if (st.st_uid != geteuid()) {
+#if HAVE_LCHOWN
+ if (lchown(path.c_str(), geteuid(), (gid_t) -1) == -1)
+#else
+ if (!S_ISLNK(st.st_mode) &&
+ chown(path.c_str(), geteuid(), (gid_t) -1) == -1)
+#endif
+ throw SysError(format("changing owner of `%1%' to %2%")
+ % path % geteuid());
+ }
+
+ if (S_ISDIR(st.st_mode)) {
Strings names = readDirectory(path);
foreach (Strings::iterator, i, names)
- canonicalisePathMetaData(path + "/" + *i, true);
+ canonicalisePathMetaData_(path + "/" + *i, fromUid, inodesSeen);
}
}
-void canonicalisePathMetaData(const Path & path)
+void canonicalisePathMetaData(const Path & path, uid_t fromUid)
{
- canonicalisePathMetaData(path, true);
+ InodesSeen inodesSeen;
+
+ canonicalisePathMetaData_(path, fromUid, inodesSeen);
/* On platforms that don't have lchown(), the top-level path can't
be a symlink, since we can't change its ownership. */
@@ -1194,7 +1236,7 @@ Path LocalStore::addToStoreFromDump(const string & dump, const string & name,
} else
writeFile(dstPath, dump);
- canonicalisePathMetaData(dstPath);
+ canonicalisePathMetaData(dstPath, -1);
/* Register the SHA-256 hash of the NAR serialisation of
the path in the database. We may just have computed it
@@ -1259,7 +1301,7 @@ Path LocalStore::addTextToStore(const string & name, const string & s,
writeFile(dstPath, s);
- canonicalisePathMetaData(dstPath);
+ canonicalisePathMetaData(dstPath, -1);
HashResult hash = hashPath(htSHA256, dstPath);
@@ -1494,7 +1536,7 @@ Path LocalStore::importPath(bool requireSignature, Source & source)
throw SysError(format("cannot move `%1%' to `%2%'")
% unpacked % dstPath);
- canonicalisePathMetaData(dstPath);
+ canonicalisePathMetaData(dstPath, -1);
/* !!! if we were clever, we could prevent the hashPath()
here. */
diff --git a/src/libstore/local-store.hh b/src/libstore/local-store.hh
index 2b0d71380..14a826b3a 100644
--- a/src/libstore/local-store.hh
+++ b/src/libstore/local-store.hh
@@ -307,9 +307,9 @@ private:
without execute permission; setuid bits etc. are cleared)
- the owner and group are set to the Nix user and group, if we're
in a setuid Nix installation. */
-void canonicalisePathMetaData(const Path & path);
+void canonicalisePathMetaData(const Path & path, uid_t fromUid);
-void canonicalisePathMetaData(const Path & path, bool recurse);
+void canonicaliseTimestampAndPermissions(const Path & path);
MakeError(PathInUse, Error);
diff --git a/src/libstore/optimise-store.cc b/src/libstore/optimise-store.cc
index e91c2b1ce..d833f3aa0 100644
--- a/src/libstore/optimise-store.cc
+++ b/src/libstore/optimise-store.cc
@@ -32,7 +32,7 @@ struct MakeReadOnly
{
try {
/* This will make the path read-only. */
- if (path != "") canonicalisePathMetaData(path, false);
+ if (path != "") canonicaliseTimestampAndPermissions(path);
} catch (...) {
ignoreException();
}
diff --git a/src/libstore/remote-store.cc b/src/libstore/remote-store.cc
index 0e62914c0..2b5a93213 100644
--- a/src/libstore/remote-store.cc
+++ b/src/libstore/remote-store.cc
@@ -91,7 +91,7 @@ void RemoteStore::connectToDaemon()
throw SysError("cannot create Unix domain socket");
closeOnExec(fdSocket);
- string socketPath = settings.nixStateDir + DEFAULT_SOCKET_PATH;
+ string socketPath = settings.nixDaemonSocketFile;
/* Urgh, sockaddr_un allows path names of only 108 characters. So
chdir to the socket directory so that we can pass a relative
diff --git a/src/libstore/worker-protocol.hh b/src/libstore/worker-protocol.hh
index 46035f457..07f825b92 100644
--- a/src/libstore/worker-protocol.hh
+++ b/src/libstore/worker-protocol.hh
@@ -53,14 +53,6 @@ typedef enum {
#define STDERR_ERROR 0x63787470
-/* The default location of the daemon socket, relative to nixStateDir.
- The socket is in a directory to allow you to control access to the
- Nix daemon by setting the mode/ownership of the directory
- appropriately. (This wouldn't work on the socket itself since it
- must be deleted and recreated on startup.) */
-#define DEFAULT_SOCKET_PATH "/daemon-socket/socket"
-
-
Path readStorePath(Source & from);
template<class T> T readStorePaths(Source & from);
diff --git a/src/nix-daemon/nix-daemon.cc b/src/nix-daemon/nix-daemon.cc
index 35e5c546e..9c6766557 100644
--- a/src/nix-daemon/nix-daemon.cc
+++ b/src/nix-daemon/nix-daemon.cc
@@ -774,7 +774,7 @@ static void daemonLoop()
if (fdSocket == -1)
throw SysError("cannot create Unix domain socket");
- string socketPath = settings.nixStateDir + DEFAULT_SOCKET_PATH;
+ string socketPath = settings.nixDaemonSocketFile;
createDirs(dirOf(socketPath));
diff --git a/src/nix-store/nix-store.cc b/src/nix-store/nix-store.cc
index af4f264a6..151ed97e4 100644
--- a/src/nix-store/nix-store.cc
+++ b/src/nix-store/nix-store.cc
@@ -238,12 +238,6 @@ static void printTree(const Path & path,
PathSet references;
store->queryReferences(path, references);
-#if 0
- for (PathSet::iterator i = drv.inputSrcs.begin();
- i != drv.inputSrcs.end(); ++i)
- cout << format("%1%%2%\n") % (tailPad + treeConn) % *i;
-#endif
-
/* Topologically sort under the relation A < B iff A \in
closure(B). That is, if derivation A is an (possibly indirect)
input of B, then A is printed first. This has the effect of
@@ -251,7 +245,7 @@ static void printTree(const Path & path,
Paths sorted = topoSortPaths(*store, references);
reverse(sorted.begin(), sorted.end());
- for (Paths::iterator i = sorted.begin(); i != sorted.end(); ++i) {
+ foreach (Paths::iterator, i, sorted) {
Paths::iterator j = i; ++j;
printTree(*i, tailPad + treeConn,
j == sorted.end() ? tailPad + treeNull : tailPad + treeLine,
@@ -293,7 +287,7 @@ static void opQuery(Strings opFlags, Strings opArgs)
else if (*i == "--resolve") query = qResolve;
else if (*i == "--roots") query = qRoots;
else if (*i == "--use-output" || *i == "-u") useOutput = true;
- else if (*i == "--force-realise" || *i == "-f") forceRealise = true;
+ else if (*i == "--force-realise" || *i == "--force-realize" || *i == "-f") forceRealise = true;
else if (*i == "--include-outputs") includeOutputs = true;
else throw UsageError(format("unknown flag `%1%'") % *i);
@@ -460,35 +454,42 @@ static void opReadLog(Strings opFlags, Strings opArgs)
foreach (Strings::iterator, i, opArgs) {
Path path = useDeriver(followLinksToStorePath(*i));
- Path logPath = (format("%1%/%2%/%3%") %
- settings.nixLogDir % drvsLogDir % baseNameOf(path)).str();
- Path logBz2Path = logPath + ".bz2";
-
- if (pathExists(logPath)) {
- /* !!! Make this run in O(1) memory. */
- string log = readFile(logPath);
- writeFull(STDOUT_FILENO, (const unsigned char *) log.data(), log.size());
- }
+ for (int j = 0; j <= 2; j++) {
+ if (j == 2) throw Error(format("build log of derivation `%1%' is not available") % path);
+
+ string baseName = baseNameOf(path);
+ Path logPath =
+ j == 0
+ ? (format("%1%/%2%/%3%/%4%") % settings.nixLogDir % drvsLogDir % string(baseName, 0, 2) % string(baseName, 2)).str()
+ : (format("%1%/%2%/%3%") % settings.nixLogDir % drvsLogDir % baseName).str();
+ Path logBz2Path = logPath + ".bz2";
+
+ if (pathExists(logPath)) {
+ /* !!! Make this run in O(1) memory. */
+ string log = readFile(logPath);
+ writeFull(STDOUT_FILENO, (const unsigned char *) log.data(), log.size());
+ break;
+ }
- else if (pathExists(logBz2Path)) {
- AutoCloseFD fd = open(logBz2Path.c_str(), O_RDONLY);
- FILE * f = 0;
- if (fd == -1 || (f = fdopen(fd.borrow(), "r")) == 0)
- throw SysError(format("opening file `%1%'") % logBz2Path);
- int err;
- BZFILE * bz = BZ2_bzReadOpen(&err, f, 0, 0, 0, 0);
- if (!bz) throw Error(format("cannot open bzip2 file `%1%'") % logBz2Path);
- unsigned char buf[128 * 1024];
- do {
- int n = BZ2_bzRead(&err, bz, buf, sizeof(buf));
- if (err != BZ_OK && err != BZ_STREAM_END)
- throw Error(format("error reading bzip2 file `%1%'") % logBz2Path);
- writeFull(STDOUT_FILENO, buf, n);
- } while (err != BZ_STREAM_END);
- BZ2_bzReadClose(&err, bz);
+ else if (pathExists(logBz2Path)) {
+ AutoCloseFD fd = open(logBz2Path.c_str(), O_RDONLY);
+ FILE * f = 0;
+ if (fd == -1 || (f = fdopen(fd.borrow(), "r")) == 0)
+ throw SysError(format("opening file `%1%'") % logBz2Path);
+ int err;
+ BZFILE * bz = BZ2_bzReadOpen(&err, f, 0, 0, 0, 0);
+ if (!bz) throw Error(format("cannot open bzip2 file `%1%'") % logBz2Path);
+ unsigned char buf[128 * 1024];
+ do {
+ int n = BZ2_bzRead(&err, bz, buf, sizeof(buf));
+ if (err != BZ_OK && err != BZ_STREAM_END)
+ throw Error(format("error reading bzip2 file `%1%'") % logBz2Path);
+ writeFull(STDOUT_FILENO, buf, n);
+ } while (err != BZ_STREAM_END);
+ BZ2_bzReadClose(&err, bz);
+ break;
+ }
}
-
- else throw Error(format("build log of derivation `%1%' is not available") % path);
}
}
@@ -514,7 +515,7 @@ static void registerValidity(bool reregister, bool hashGiven, bool canonicalise)
if (!store->isValidPath(info.path) || reregister) {
/* !!! races */
if (canonicalise)
- canonicalisePathMetaData(info.path);
+ canonicalisePathMetaData(info.path, -1);
if (!hashGiven) {
HashResult hash = hashPath(htSHA256, info.path);
info.hash = hash.first;
@@ -842,7 +843,7 @@ void run(Strings args)
Operation oldOp = op;
- if (arg == "--realise" || arg == "-r")
+ if (arg == "--realise" || arg == "--realize" || arg == "-r")
op = opRealise;
else if (arg == "--add" || arg == "-A")
op = opAdd;
@@ -884,7 +885,7 @@ void run(Strings args)
op = opVerifyPath;
else if (arg == "--repair-path")
op = opRepairPath;
- else if (arg == "--optimise")
+ else if (arg == "--optimise" || arg == "--optimize")
op = opOptimise;
else if (arg == "--query-failed-paths")
op = opQueryFailedPaths;
diff --git a/substitute.mk b/substitute.mk
index 967ad257b..940b1206b 100644
--- a/substitute.mk
+++ b/substitute.mk
@@ -37,6 +37,3 @@
-e "s^@testPath\@^$(coreutils):$$(dirname $$(type -p expr))^g" \
< $< > $@ || rm $@
if test -x $<; then chmod +x $@; fi
-
-$(CONFIG_HEADER):
- true
diff --git a/tests/nix-copy-closure.nix b/tests/nix-copy-closure.nix
index db6103b9c..ca09dffac 100644
--- a/tests/nix-copy-closure.nix
+++ b/tests/nix-copy-closure.nix
@@ -13,14 +13,14 @@ makeTest ({ pkgs, ... }: let pkgA = pkgs.aterm; pkgB = pkgs.wget; in {
virtualisation.pathsInNixDB = [ pkgA ];
environment.nix = nix;
};
-
+
server =
{ config, pkgs, ... }:
{ services.openssh.enable = true;
virtualisation.writableStore = true;
virtualisation.pathsInNixDB = [ pkgB ];
environment.nix = nix;
- };
+ };
};
testScript = { nodes }:
@@ -36,8 +36,8 @@ makeTest ({ pkgs, ... }: let pkgA = pkgs.aterm; pkgB = pkgs.wget; in {
# Install the SSH key on the server.
$server->succeed("mkdir -m 700 /root/.ssh");
$server->copyFileFromHost("key.pub", "/root/.ssh/authorized_keys");
- $server->waitForJob("sshd");
- $client->waitForJob("network-interfaces");
+ $server->waitForUnit("sshd");
+ $client->waitForUnit("network.target");
$client->succeed("ssh -o StrictHostKeyChecking=no " . $server->name() . " 'echo hello world'");
# Copy the closure of package A from the client to the server.
diff --git a/tests/remote-builds.nix b/tests/remote-builds.nix
index b0d2547c6..6d38fb568 100644
--- a/tests/remote-builds.nix
+++ b/tests/remote-builds.nix
@@ -72,11 +72,11 @@ in
$client->succeed("chmod 600 /root/.ssh/id_dsa");
# Install the SSH key on the slaves.
- $client->waitForJob("network-interfaces");
+ $client->waitForUnit("network.target");
foreach my $slave ($slave1, $slave2) {
$slave->succeed("mkdir -m 700 /root/.ssh");
$slave->copyFileFromHost("key.pub", "/root/.ssh/authorized_keys");
- $slave->waitForJob("sshd");
+ $slave->waitForUnit("sshd");
$client->succeed("ssh -o StrictHostKeyChecking=no " . $slave->name() . " 'echo hello world'");
}
diff --git a/version b/version
index a58941b07..8e03717dc 100644
--- a/version
+++ b/version
@@ -1 +1 @@
-1.3 \ No newline at end of file
+1.5.1 \ No newline at end of file