[Nix-dev] Nix(OS) and passwords ? builtins.writeFileToPath proposal

Nicolas Pierron nicolas.b.pierron at gmail.com
Sun Dec 27 01:10:48 CET 2009


On Sun, Dec 27, 2009 at 00:53, Marc Weber <marco-oweber at gmx.de> wrote:
> Excerpts from Michael Raskin's message of Sat Dec 26 15:06:44 +0100 2009:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Nicolas Pierron wrote:
>> > I though multiple times of this issues.  I see an other solution which
>> > implies the implementation of the following rules:
>> >
>> >    - Restricted file/data should not be copied into the store and
>> > should cause the failure of the build process.
>> >    - The permission of a derivation correspond to the intersection of
>> > all dependencies permissions.
>>
>> Or easier.. One can mark derivation "restricted". Then it is only
>> readable to Nix daemon and root.
>
> I don't think this will work.
>
> You can write this derivation:
>
>
> mkDerivation {
>  name ="getpasswords";
>  derivation = "/nix/store/xxxxxxxxxxxxxxxxxxxxxxxxxxx-the-passwords";
>
>  buildPhase = ''
>    cp -r $derivation /tmp
>    chmod -R 777 $derivation
>  '';
> }
>
> Or do you want to prohibit reusing "restricted" derivations ?
>
> Michael Raskin: Yes, I thought about kind of propagating some restricted
> feature as well. But I'd like to use KISS (keep it stupid simple).
> Adding a writeFile would solve the problem and everyone can understand
> it.
>
> So I hope nobody minds me adding such a primop.

I think you should wait for the answer of the Nix Guru.  Such prim-op
breaks the concept that Nix only write data inside the Nix store.
Other wrappers are made to handle links to the store.


-- 
Nicolas Pierron
http://www.linkedin.com/in/nicolasbpierron - http://nbp.name/
Lars Rasmussen (Google IO 2009) - Icland is an icland.



More information about the nix-dev mailing list