[Nix-dev] Best practives for handling setuid build inputs

Kirill Elagin kirelagin at gmail.com
Sun May 10 07:10:25 CEST 2015 

First of all, you should realise that it is not possible to handle this on
the side of Nix/Nixpkgs. The user is free to build any expression he likes
and it follows that it is insecure for Nix to produce any kind of suid
binaries.

You can see how [NixOS does this](
https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/security/setuid-wrappers.nix)
(basically, there is a hard-coded list of binaries known to be “good” which
are impurely wrapped using [setuid-wrapper](
https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/security/setuid-wrapper.c)
during the activation phase).

So, in general, the process has two steps. First, your nix expressions
generates a description of the list of binaries that have to become suid.
Second, you, as root, use this description to wrap the files. In case of
NixOS the “description” generated is just a shell script that wraps the
files when executed. You can reuse most of the code so that you’ll have
this script as part of the output and all you’ll have to do is run it as
root when the build finishes.

What I don’t understand is what are those `chroot` and `ping` binaries you
are talking about that have to become suid. Does your build produce them?
Are you building something like an OS? In this case, it might be better to
test those not on your actual system, but in a VM,

On Sun, May 10, 2015 at 12:54 AM Kosyrev Serge <_deepfire at feelingofgreen.ru>
wrote:

> Hi!
>
> What is the best way to work around Nix's lack of support
> for setuid binaries?
>
> The build/test process I'm trying to describe in Nix unfortunately has
> hard dependencies on multiple setuid binaries -- chroot, ping etc.
>
> The workflow I'm aiming to support revolves around performing
> builds/tests within the environment provided by `nix-shell --pure`.
>
>
> --
> regards,
> Косырев Серёга
> _______________________________________________
> nix-dev mailing list
> nix-dev at lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.science.uu.nl/pipermail/nix-dev/attachments/20150510/0fa8ff41/attachment.html

More information about the nix-dev mailing list