[Nix-dev] Malicious installation methods

Maarten Hoogendoorn maarten at moretea.nl
Sat Jun 18 00:13:53 CEST 2016 

First of all, you can install nix in another location, but then you won't
be able to use the binary cache anymore.

I thought a bit about how we could make this work:
- store the nix store physically in /var/lib/nix/store on Debian
- create a union fs in /var/lib/nix/nix-root of / and /var/lib/nix/store
- create "entrypoint" wrapper scripts in some well known path for each
profile, as a post processing step after profiles are generated.

These wrapper scripts would call a setuid binary to chroot into
/var/lib/nix/nix-root. Once a program enters the nix-universe chroot, it
can use the orignal binaries in the profiles again.

Please shoot holes in my reasoning!

2016-06-18 0:00 GMT+02:00 Yui Hirasawa <yui at cock.li>:

> >>>>>>> True, of course. But, there is a class of software projects which
> will
> >>>>>>> likely never be "packaged" by package managers - namely, other
> package
> >>>>>>> managers. Nix falls into this class, along with, for example, NPM,
> >>>>>>> Brew, Oh-My-Zsh, and others.
> >>>>>>
> >>>>>> What reason would there to not package other package managers?
> >>>>>
> >>>>> IIRC, Debian won't package Nix because it violates the FHS (by
> requiring
> >>>>a /nix
> >>>>> directory).
> >>>>
> >>>> Is the nix root dir configurable? Would it be that horrible to have
> >>>> /opt/nix or /var/lib/nix or something else be the nix root on Debian?
> >>>
> >>> It's not strictly required, but it would mean losing out on all the
> binary
> >>> packages provided by the CI.
> >>
> >> Aren't they built in a chroot like Guix does? Why would anything break
> >> just because you change where they are installed?
> >
> > Because it invalidates all the store references.
>
> Seems like nix needs some redesign then.
> _______________________________________________
> nix-dev mailing list
> nix-dev at lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.science.uu.nl/pipermail/nix-dev/attachments/20160618/191a10b9/attachment.html>

More information about the nix-dev mailing list