[Nix-dev] eval or in-place expression execution

Sergey Mironov grrwlf at gmail.com
Fri Jul 11 10:11:32 CEST 2014


I agree, design is questionable, bu I keep automatic tests together
with system being developed. Tests should know the original password
so I store it as plain Nix string. But my main question relates to the
fact that `import' can read the calculated path from /nix/store and
`builtins.readFile' can not. Is it a bug or a feature? Maybe import
also should block such attempts and I've just found an exploit?



2014-07-11 12:04 GMT+04:00 Luca Bruno <lethalman88 at gmail.com>:
> On 11/07/2014 09:46, Sergey Mironov wrote:
>> Hi. I need to do non-trivial string calculations (encrypt the password
>> with openssl) which AFAIK can't be written in Nix at the moment.
>> That's why I think about Nix `eval` equivalent. I wonder if it goes
>> against Nix concepts or not? My implementation looks like the
>> following:
>>
>>   encryptPassword = salt: pass : let
>>     p = runCommand "encryptPassword" {} ''
>>       printf '"%s"\n' `${openssl}/bin/openssl passwd -1 -salt ${salt}
>> ${pass}` > $out
>>       '';
>>     in
>>       import p;   # <=== (1)
>>
>> It works but note the `import' expression. I tried builtins.readFile
>> instead of it in previous attempt but failed: Nix issued  [error:
>> string `... (1)' cannot refer to other paths] error. What is the
>> reason of such a difference between readFile and import?
> readFile is plain reading the contents of the file. import parses the
> file as a nix expression.
> However putting plain passwords in nix configurations is not a good
> thing. It's better if you write the password already encrypted in a
> file, and read it with readFile.
>
> Best regards
> _______________________________________________
> nix-dev mailing list
> nix-dev at lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev


More information about the nix-dev mailing list