From 88888160d239ed68118ba1d5f94cad0a0ca7521f Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Wed, 20 Oct 2004 14:40:54 +0000 Subject: [PATCH] * Fix nix-prefetch-url in setuid Nix installations. --- scripts/nix-prefetch-url.in | 29 ++++++++++++++++++++--------- 1 file changed, 20 insertions(+), 9 deletions(-) diff --git a/scripts/nix-prefetch-url.in b/scripts/nix-prefetch-url.in index 45b3ed7ee..8fc82c11b 100644 --- a/scripts/nix-prefetch-url.in +++ b/scripts/nix-prefetch-url.in @@ -7,9 +7,18 @@ if test -z "$url"; then exit 1 fi -# !!! race? should be relatively safe, `svn export' barfs if $tmpPath exists. +# !!! race tmpPath1=@storedir@/nix-prefetch-url-$$ +# Test whether we have write permission in the store. If not, fetch +# to /tmp and don't copy to the store. This is a hack to make this +# script at least work somewhat in setuid installations. +if ! touch $tmpPath1 2> /dev/null; then + echo "(cannot write to the store, result won't be cached)" >&2 + dummyMode=1 + tmpPath1=/tmp/nix-prefetch-url-$$ # !!! security? +fi + # Perform the checkout. @curl@ --fail --location --max-redirs 20 "$url" > $tmpPath1 @@ -17,22 +26,24 @@ tmpPath1=@storedir@/nix-prefetch-url-$$ hash=$(@bindir@/nix-hash --flat $tmpPath1) echo "hash is $hash" >&2 -# Rename it so that the fetchsvn builder can find it. -tmpPath2=@storedir@/nix-prefetch-url-$hash -test -e $tmpPath2 || mv $tmpPath1 $tmpPath2 # !!! race +# Rename it so that the fetchurl builder can find it. +if test "$dummyMode" != 1; then + tmpPath2=@storedir@/nix-prefetch-url-$hash + test -e $tmpPath2 || mv $tmpPath1 $tmpPath2 # !!! race +fi -# Create a Nix expression that does a fetchsvn. +# Create a Nix expression that does a fetchurl. storeExpr=$( \ - echo "(import @datadir@/nix/corepkgs/fetchurl) \ + echo "(import @datadir@/nix/corepkgs/fetchurl) \ {url = $url; md5 = \"$hash\"; system = \"@system@\";}" \ - | @bindir@/nix-instantiate -) + | @bindir@/nix-instantiate -) # Realise it. finalPath=$(@bindir@/nix-store -qnB --force-realise $storeExpr) - + echo "path is $finalPath" >&2 -rm -rf $tmpPath2 || true +rm -rf $tmpPath1 $tmpPath2 || true echo $hash