From a55112898e23df10a7a0d2a0cd359996100e3512 Mon Sep 17 00:00:00 2001 From: Alois Wohlschlager Date: Sat, 29 Jun 2024 20:23:17 +0200 Subject: libexpr/flake: allow automatic rejection of configuration options from flakes The `allow-flake-configuration` option allows the user to control whether to accept configuration options supplied by flakes. Unfortunately, setting this to false really meant "ask each time" (with an option to remember the choice for each specific option encountered). Let no mean no, and introduce (and default to) a separate value for the "ask each time" behaviour. Co-Authored-By: Jade Lovelace Change-Id: I7ccd67a95bfc92cffc1ebdc972d243f5191cc1b4 --- src/libfetchers/fetch-settings.cc | 43 +++++++++++++++++++++++++++++++++++++++ src/libfetchers/fetch-settings.hh | 16 +++++++++++---- 2 files changed, 55 insertions(+), 4 deletions(-) (limited to 'src/libfetchers') diff --git a/src/libfetchers/fetch-settings.cc b/src/libfetchers/fetch-settings.cc index e7d5244dc..aeb3c542b 100644 --- a/src/libfetchers/fetch-settings.cc +++ b/src/libfetchers/fetch-settings.cc @@ -1,7 +1,50 @@ +#include "abstract-setting-to-json.hh" +#include "args.hh" +#include "config-impl.hh" #include "fetch-settings.hh" +#include + namespace nix { +template<> AcceptFlakeConfig BaseSetting::parse(const std::string & str) const +{ + if (str == "true") return AcceptFlakeConfig::True; + else if (str == "ask") return AcceptFlakeConfig::Ask; + else if (str == "false") return AcceptFlakeConfig::False; + else throw UsageError("option '%s' has invalid value '%s'", name, str); +} + +template<> std::string BaseSetting::to_string() const +{ + if (value == AcceptFlakeConfig::True) return "true"; + else if (value == AcceptFlakeConfig::Ask) return "ask"; + else if (value == AcceptFlakeConfig::False) return "false"; + else abort(); +} + +template<> void BaseSetting::convertToArg(Args & args, const std::string & category) +{ + args.addFlag({ + .longName = name, + .description = "Accept Lix configuration options from flakes without confirmation. This allows flakes to gain root access to your machine if you are a trusted user; see the nix.conf manual page for more details.", + .category = category, + .handler = {[this]() { override(AcceptFlakeConfig::True); }} + }); + args.addFlag({ + .longName = "ask-" + name, + .description = "Ask whether to accept Lix configuration options from flakes.", + .category = category, + .handler = {[this]() { override(AcceptFlakeConfig::Ask); }} + }); + args.addFlag({ + .longName = "no-" + name, + .description = "Reject Lix configuration options from flakes.", + .category = category, + .handler = {[this]() { override(AcceptFlakeConfig::False); }} + }); +} + FetchSettings::FetchSettings() { } diff --git a/src/libfetchers/fetch-settings.hh b/src/libfetchers/fetch-settings.hh index 6fb260c3a..93123463c 100644 --- a/src/libfetchers/fetch-settings.hh +++ b/src/libfetchers/fetch-settings.hh @@ -11,6 +11,8 @@ namespace nix { +enum class AcceptFlakeConfig { False, Ask, True }; + struct FetchSettings : public Config { FetchSettings(); @@ -86,15 +88,21 @@ struct FetchSettings : public Config "Whether to use flake registries to resolve flake references.", {}, true, Xp::Flakes}; - Setting acceptFlakeConfig{this, false, "accept-flake-config", + Setting acceptFlakeConfig{ + this, AcceptFlakeConfig::Ask, "accept-flake-config", R"( Whether to accept Lix configuration from the `nixConfig` attribute of - a flake without prompting. This is almost always a very bad idea. - - Setting this setting as a trusted user allows Nix flakes to gain root + a flake. Doing so as a trusted user allows Nix flakes to gain root access on your machine if they set one of the several trusted-user-only settings that execute commands as root. + If set to `true`, such configuration will be accepted without asking; + this is almost always a very bad idea. Setting this to `ask` will + prompt the user each time whether to allow a certain configuration + option set this way, and offer to optionally remember their choice. + When set to `false`, the configuration will be automatically + declined. + See [multi-user installations](@docroot@/installation/multi-user.md) for more details on the Lix security model. )", -- cgit v1.2.3