[Nix-dev] Nix(OS) and passwords ? builtins.writeFileToPath proposal
Marc Weber
marco-oweber at gmx.de
Sun Dec 27 00:53:31 CET 2009
Excerpts from Michael Raskin's message of Sat Dec 26 15:06:44 +0100 2009:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Nicolas Pierron wrote:
> > I though multiple times of this issues. I see an other solution which
> > implies the implementation of the following rules:
> >
> > - Restricted file/data should not be copied into the store and
> > should cause the failure of the build process.
> > - The permission of a derivation correspond to the intersection of
> > all dependencies permissions.
>
> Or easier.. One can mark derivation "restricted". Then it is only
> readable to Nix daemon and root.
I don't think this will work.
You can write this derivation:
mkDerivation {
name ="getpasswords";
derivation = "/nix/store/xxxxxxxxxxxxxxxxxxxxxxxxxxx-the-passwords";
buildPhase = ''
cp -r $derivation /tmp
chmod -R 777 $derivation
'';
}
Or do you want to prohibit reusing "restricted" derivations ?
Michael Raskin: Yes, I thought about kind of propagating some restricted
feature as well. But I'd like to use KISS (keep it stupid simple).
Adding a writeFile would solve the problem and everyone can understand
it.
So I hope nobody minds me adding such a primop.
Marc Weber
More information about the nix-dev
mailing list