[Nix-dev] Re: Using "chattr -R +i" to ensure /nix/store entry immutability.
Yury G. Kudryashov
urkud+nix at ya.ru
Sat Aug 14 21:49:03 CEST 2010
Michael Raskin wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello.
>
> Currently, /nix/store entries have the "write permission" bit removed
> after a successful build. This protects them from some writes. But
> programs that have to be run as root may just assume that some file in
> $PREFIX/share is writable and write there - it will work.
>
> Some filesystems (ext2-ext4 included) support "file attributes"
> (notably immutability). As far as I know, the only way to write to a
> file with "i" file attribute set is to call the ioctl to remove this
> flag. While writing inside $PREFIX is often done in good faith, not many
> programs need to do or do anything with file attributes.
>
> Is it a good idea to (optionally) run "chattr -R +i $out" after
> successful builds and "chattr -R -i $path" when garbage collecting?
I agree but first we should check store integrity on some real computer to
find out which files are overwritten and realise why they're overwritten
(AFAIR, something wrong with $linux/).
More information about the nix-dev
mailing list