[Nix-dev] Using "chattr -R +i" to ensure /nix/store entry immutability.

Michael Raskin 7c6f434c at mail.ru
Sat Aug 14 20:51:41 CEST 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

		Hello.

	Currently, /nix/store entries have the "write permission" bit removed
after a successful build. This protects them from some writes. But
programs that have to be run as root may just assume that some file in
$PREFIX/share is writable and write there - it will work.

	Some filesystems (ext2-ext4 included) support "file attributes"
(notably immutability). As far as I know, the only way to write to a
file with "i" file attribute set is to call the ioctl to remove this
flag. While writing inside $PREFIX is often done in good faith, not many
programs need to do or do anything with file attributes.

	Is it a good idea to (optionally) run "chattr -R +i $out" after
successful builds and "chattr -R -i $path" when garbage collecting?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJMZuW8AAoJEE6tnN0aWvw3zDkH/jRW/zgSbYZ1LNfsr3nvDSo3
NSJEO2fbyTqdvqlFu7RIcyeGrYsiCZPzGNXRekj2NyXUffGCGb/VMMaoSazSDESL
Xu6aQc6yeg/2/ljr6THJqXa379t83G02qfu9MS/COAcW0+opO5d+orJpQw55v4Qg
UxCnbTSOn8M0WXyQQsg23pqjs+gZPEBUjtsVN8xpsNc5uhi9SSTamB7ob9cJnHZ8
0ztKOJX1UkSQDkD6b8ZzyNpFpCf3iKVN5hmMfEykoIHzBEVQd6iKDxPFpdXm5hOg
ZNkwWTcvEdoN2Sji2kOoi/e9ivY4mxVfEzraNwU8KEwBT3trCI5HJbCpvZc5qvA=
=EB62
-----END PGP SIGNATURE-----



More information about the nix-dev mailing list