[Nix-dev] NIX_OTHER_STORES and security?

Michael Raskin 7c6f434c at mail.ru
Tue Nov 25 12:30:56 CET 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Marc Weber wrote:
> I'm not sure I've understood how this works:
> 
> So can I copy some dirs from /nix/store to my home directory,
> modify them, change their hash to a hash which is very likely to be
> installed by the system anyway later on (due to updates or such)
> and ask the system to install that *update* which is indeed malware?

All env-vars are checked by process doing the build. It is nix-store
with root rights or nix-worker.. It is not a protocol change (which
would need some security) - it is a change requiring store write access
to use.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEcBAEBAgAGBQJJK+HtAAoJEE6tnN0aWvw31PQH/1KJ+ji+yYq1ubiLAGBLMllj
cjVVcZFoQnSghEohSoLmKTdoBX8IvT6kTwEvt6iL+2ZsiAWRano/LEvqU/dmA6gJ
EuTplDvo9iSGjrio+mbNv9nyNls7R5y2V75Uk0T3X/LFLtH0XPR+n8O2O9AlVcLg
5Fqz38AYiAzSpQccphqzVCatTSxHYdSEYKyu6tzQ2kpe7rPPixtgohcaxbInMDsU
Z/g8d6118G+Lkyx0s4AyFUffrjV7lypttSguhj3OASTZwfmZDmvyVwtZO7JZi+m3
MudxE/VA3DY7CYQAz3Nz7zTAA+2bF1deXvqb1495VYy6vtzc5ae2ECGgZqdLmfk=
=oxRv
-----END PGP SIGNATURE-----



More information about the nix-dev mailing list