aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2015-02-17Use $<attr>Path instead of $<attr> for passAsFileEelco Dolstra
2015-02-17Allow passing attributes via files instead of environment variablesEelco Dolstra
Closes #473.
2015-02-17Keep sortedEelco Dolstra
2015-02-17Include NAR size in fingerprint computationEelco Dolstra
This is not strictly needed for integrity (since we already include the NAR hash in the fingerprint) but it helps against endless data attacks [1]. (However, this will also require download-from-binary-cache.pl to bail out if it receives more than the specified number of bytes.) [1] https://isis.poly.edu/~jcappos/papers/cappos_mirror_ccs_08.pdf
2015-02-16Test chroot buildingEelco Dolstra
2015-02-16Use pivot_root in addition to chroot when possibleHarald van Dijk
chroot only changes the process root directory, not the mount namespace root directory, and it is well-known that any process with chroot capability can break out of a chroot "jail". By using pivot_root as well, and unmounting the original mount namespace root directory, breaking out becomes impossible. Non-root processes typically have no ability to use chroot() anyway, but they can gain that capability through the use of clone() or unshare(). For security reasons, these syscalls are limited in functionality when used inside a normal chroot environment. Using pivot_root() this way does allow those syscalls to be put to their full use.
2015-02-12Revert "Remove Fedora 18, 19 builds"Eelco Dolstra
This reverts commit 9c58691ce3a35833ddcbf157f9f174ab0cc1c37a. Fedora 18/19 images should build again.
2015-02-10Don't depend on libsodium on DarwinEelco Dolstra
It doesn't build at the moment. http://hydra.nixos.org/build/19557641
2015-02-10Make libsodium an optional dependencyEelco Dolstra
2015-02-10Add Fedora 21 buildEelco Dolstra
Fixes #467.
2015-02-10Add base64 encoder/decoderEelco Dolstra
2015-02-08nix-build: Respect -Q during evaluationShea Levy
Fixes #474
2015-02-05Remove tabEelco Dolstra
2015-02-04TypoEelco Dolstra
2015-02-04Require linux 3.13 or later for chrootShea Levy
Fixes #453
2015-02-04Sign a subset of the .narinfoEelco Dolstra
We only need to sign the store path, NAR hash and references (the "fingerprint"). Everything else is irrelevant to security. For instance, the compression algorithm or the hash of the compressed NAR don't matter as long as the contents of the uncompressed NAR are correct. (Maybe we should include derivers in the fingerprint, but they're broken and nobody cares about them. Also, it might be nice in the future if .narinfos contained signatures from multiple independent signers. But that's impossible if the deriver is included in the fingerprint, since everybody will tend to have a different deriver for the same store path.) Also renamed the "Signature" field to "Sig" since the format changed in an incompatible way.
2015-02-04Use libsodium instead of OpenSSL for binary cache signingEelco Dolstra
Sodium's Ed25519 signatures are much shorter than OpenSSL's RSA signatures. Public keys are also much shorter, so they're now specified directly in the nix.conf option ‘binary-cache-public-keys’. The new command ‘nix-store --generate-binary-cache-key’ generates and prints a public and secret key.
2015-02-03Simplify parseHash32Eelco Dolstra
2015-02-03Simplify printHash32Eelco Dolstra
2015-01-30nix-install-package: follow symlinksJaka Hudoklin
2015-01-29Merge remote-tracking branch 'shlevy/baseNameOf-no-copy'Shea Levy
baseNameOf: Don't copy paths to the store first
2015-01-28Moves runHook to a later execution positionOliver Dunkl
It moves runHook to a later position in the rcfile. After that we are able to set the PS1 environment-variable for a nix-shell environment e.g.: # turn the color of the prompt to blue shellHook = '' export PS1="\n\[\033[1;34m\][\u@\h:\w]$\[\033[0m\] "; '';
2015-01-18Make inputs writeable in the sandbox (builds still can’t actually write ↵Daniel Peebles
due to user permissions)
2015-01-15Shut up "Wide character in print" warning in copy-from-other-stores.plEelco Dolstra
2015-01-15Fix assertion failure in nix-envEelco Dolstra
$ nix-env -f ~/Dev/nixops/ -iA foo nix-env: src/libexpr/eval.hh:57: void nix::Bindings::push_back(const nix::Attr&): Assertion `size_ < capacity' failed. Aborted
2015-01-15Set correct user agent for NAR downloads from binary cachesEelco Dolstra
2015-01-13Allow using /bin and /usr/bin as impure prefixes on non-darwin by defaultShea Levy
These directories are generally world-readable anyway, and give us the two most common linux impurities (env and sh)
2015-01-13SysError -> ErrorEelco Dolstra
2015-01-13Don't resolve symlinks while checking __impureHostDepsEelco Dolstra
Since these come from untrusted users, we shouldn't do any I/O on them before we've checked that they're in an allowed prefix.
2015-01-12Add basic Apple sandbox supportDaniel Peebles
2015-01-12doc: `nix-channel --remove` takes a name, not a urlTobias Geerinckx-Rice
2015-01-09Fix builtins.readDir on XFSEelco Dolstra
The DT_UNKNOWN fallback code was getting the type of the wrong path, causing readDir to report "directory" as the type of every file. Reported by deepfire on IRC.
2015-01-08Doh^2Eelco Dolstra
2015-01-08DohEelco Dolstra
2015-01-08Fix typo (assuming this is a typo)Данило Глинський (Danylo Hlynskyi)
Fix typo (assuming this is a typo) `allowedRequisites` mentions `allowedReferences` in code example
2015-01-08Set /nix/store permission to 1737Eelco Dolstra
I.e., not readable to the nixbld group. This improves purity a bit for non-chroot builds, because it prevents a builder from enumerating store paths (i.e. it can only access paths it knows about).
2015-01-08nix-shell: Add --run flagEelco Dolstra
‘--run’ is like ‘--command’, except that it runs the command in a non-interactive shell. This is important if you do things like: $ nix-shell --command make Hitting Ctrl-C while make is running drops you into the interactive Nix shell, which is probably not what you want. So you can now do $ nix-shell --run make instead.
2015-01-08nix-shell: Interpret filenames relative to the #!-scriptEelco Dolstra
So you can have a script like: #! /usr/bin/env nix-shell #! nix-shell script.nix -i python import prettytable x = prettytable.PrettyTable(["Foo", "Bar"]) for i in range(1, 10): x.add_row([i, i**2]) print x with a ‘script.nix’ in the same directory: with import <nixpkgs> {}; runCommand "dummy" { buildInputs = [ python pythonPackages.prettytable ]; } "" (Of course, in this particular case, using the ‘-p’ flag is more convenient.)
2015-01-08Allow nix-shell to be used as a #! interpreterEelco Dolstra
This allows scripts to fetch their own dependencies via nix-shell. For instance, here is a Haskell script that, when executed, pulls in GHC and the HTTP package: #! /usr/bin/env nix-shell #! nix-shell -i runghc -p haskellPackages.ghc haskellPackages.HTTP import Network.HTTP main = do resp <- Network.HTTP.simpleHTTP (getRequest "http://nixos.org/") body <- getResponseBody resp print (take 100 body) Or a Perl script that pulls in Perl and some CPAN packages: #! /usr/bin/env nix-shell #! nix-shell -i perl -p perl perlPackages.HTMLTokeParserSimple perlPackages.LWP use HTML::TokeParser::Simple; my $p = HTML::TokeParser::Simple->new(url => 'http://nixos.org/'); while (my $token = $p->get_tag("a")) { my $href = $token->get_attr("href"); print "$href\n" if $href; } Note that the options to nix-shell must be given on a separate line that starts with the magic string ‘#! nix-shell’. This is because ‘env’ does not allow passing arguments to an interpreter directly.
2015-01-07nix-shell --command: Remove bogus argument to "exit"Eelco Dolstra
Fixes "exit: Inappropriate: numeric argument required" errors.
2015-01-07Show position info for failing <...> lookupsEelco Dolstra
2015-01-07Remove quotes around filenames in position infoEelco Dolstra
2015-01-06Document how to set up build users on Mac OS XEelco Dolstra
2015-01-06Fix building on DarwinEelco Dolstra
Fixes #433.
2015-01-05Merge pull request #431 from j-keck/masterRob Vermaas
small documentation fixes
2015-01-05doc: remove wrong phrase.j-keck
'... another level of indirection not shown in the figure above ...' but in the 'user-environments.png' figure there is '~/.nix-profile'. the figure was updated with the commit: f982df3 on Mar 16, 2005.
2015-01-05doc: remove double wordj-keck
'... when when ...' -> '... when ...'
2015-01-02Allow $NIX_PAGER to override $PAGEREelco Dolstra
2015-01-02libutil: Limit readLink() error to only overflows.aszlig
Let's not just improve the error message itself, but also the behaviour to actually work around the ntfs-3g symlink bug. If the readlink() call returns a smaller size than the stat() call, this really isn't a problem even if the symlink target really has changed between the calls. So if stat() reports the size for the absolute path, it's most likely that the relative path is smaller and thus it should also work for file system bugs as mentioned in 93002d69fc58c2b71e2dfad202139230c630c53a. Signed-off-by: aszlig <aszlig@redmoonstudios.org> Tested-by: John Ericson <Ericson2314@Yahoo.com>
2015-01-02libutil: Improve errmsg on readLink size mismatch.aszlig
A message like "error: reading symbolic link `...' : Success" really is quite confusing, so let's not indicate "success" but rather point out the real issue. We could also limit the check of this to just check for non-negative values, but this would introduce a race condition between stat() and readlink() if the link target changes between those two calls, thus leading to a buffer overflow vulnerability. Reported by @Ericson2314 on IRC. Happened due to a possible ntfs-3g bug where a relative symlink returned the absolute path (st_)size in stat() while readlink() returned the relative size. Signed-off-by: aszlig <aszlig@redmoonstudios.org> Tested-by: John Ericson <Ericson2314@Yahoo.com>