[Nix-dev] new security possibilities?

Profpatsch mail at profpatsch.de
Thu Jul 7 13:03:42 CEST 2016


On 16-07-05 04:12pm, Syd Brisby wrote:
> Hi,
> 
> NixOS has a unique packaging system, with app separation

It goes deeper than that. Not only „apps“ are separated, but
logical units, like e.g. config files as well.

> and some
> degree of encryption.

None that I know of. Quite the contrary, the store is
world-readable.

> Not
> like relying on traditional passwords or firewalls. Something like
> having a fake filesystem labyrinth that could trap a hacker and
> prevent them from harming the system?

That’s called security by obscurity, and yes, nix has it partly
because of its unconventional directory layout.
But it’s nothing to bet your security on.

The only thing that really helps is to strongly restrict application
rights, what they can access and what they can do. We are probably
in a better position here, since we already have some sort of separation.
Also, services already get their own users, which is the traditional way.
User programs are still run with access to all of $HOME, though. Which
is where the interesting stuff normally lies.

-- 
Proudly written in Mutt with Vim on NixOS.
May take up to five days to read your message. If it’s urgent, call me.


More information about the nix-dev mailing list