lix-project/lix
20
55
Fork 31
Code Issues 346 Code Review (Gerrit) Projects 3 Releases Wiki Activity
lix/src/libmain/shared.cc

389 lines
11 KiB
C++
Raw Normal View History

* Refactoring: move initialisation and argument parsing into a shared file.
2003-07-04 15:42:03 +00:00
#include <iostream>
* Debug levels. Use `--verbose / -v LEVEL' to display only messages up to the given verbosity levels. These currently are: lvlError = 0, lvlNormal = 5, lvlDebug = 10, lvlDebugMore = 15 although only lvlError and lvlDebug are actually used right now.
2003-07-24 08:53:43 +00:00
#include <cctype>
* Refactoring: move initialisation and argument parsing into a shared file.
2003-07-04 15:42:03 +00:00
* Disallow the Nix store or any of its parents from being symlinks. This is because the contents of these symlinks are not incorporated into the hashes of derivations, and could therefore cause a mismatch between the build system and the target system. E.g., if `/nix/store' is a symlink to `/data/nix/store', then a builder could expand this path and store the result. If on the target system `/nix/store' is not a symlink, or is a symlink that points somewhere else, we have a dangling pointer. The trigger for this change is that gcc 3.3.3 does exactly that (it applies realpath() to some files, such as libraries, which causes our impurity checker to bail out.) An annoying side-effect of this change is that it makes it harder to move the Nix store to a different file system. On Linux, bind mounts can be used instead of symlink for this purpose (e.g., `mount -o bind /data/nix/store /nix/store').
2004-03-27 17:58:04 +00:00
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
* Setuid support for sharing a Nix installation between multiple users. If the configure flag `--enable-setuid' is used, the Nix programs nix-env, nix-store, etc. are installed with the setuid bit turned on so that they are executed as the user and group specified by `--with-nix-user=USER' and `--with-nix-group=GROUP', respectively (with defaults `nix' and `nix'). The setuid programs drop all special privileges if they are executed by a user who is not a member of the Nix group. The setuid feature is a quick hack to enable sharing of a Nix installation between users who trust each other. It is not generally secure, since any user in the Nix group can modify (by building an appropriate derivation) any object in the store, and for instance inject trojans into binaries used by other users. The setuid programs are owned by root, not the Nix user. This is because on Unix normal users cannot change the real uid, only the effective uid. Many programs don't work properly when the real uid differs from the effective uid. For instance, Perl will turn on taint mode. However, the setuid programs drop all root privileges immediately, changing all uids and gids to the Nix user and group.
2004-08-20 14:49:05 +00:00
#include <pwd.h>
#include <grp.h>
* Refactoring: move initialisation and argument parsing into a shared file.
2003-07-04 15:42:03 +00:00
extern "C" {
#include <aterm2.h>
}
#include "globals.hh"
* Automatically remove temporary root files.
2005-01-31 21:20:59 +00:00
#include "gc.hh"
* Refactoring: move initialisation and argument parsing into a shared file.
2003-07-04 15:42:03 +00:00
#include "shared.hh"
#include "config.h"
* True parallel builds. Nix can now run as many build jobs in parallel as possible (similar to GNU Make's `-j' switch). This is useful on SMP systems, but it is especially useful for doing builds on multiple machines. The idea is that a large derivation is initiated on one master machine, which then distributes sub-derivations to any number of slave machines. This should not happen synchronously or in lock-step, so the master must be capable of dealing with multiple parallel build jobs. We now have the infrastructure to support this. TODO: substitutes are currently broken.
2004-05-11 18:05:44 +00:00
volatile sig_atomic_t blockInt = 0;
* Catch SIGINT to terminate cleanly when the user tries to interrupt Nix. This is to prevent Berkeley DB from becoming wedged. Unfortunately it is not possible to throw C++ exceptions from a signal handler. In fact, you can't do much of anything except change variables of type `volatile sig_atomic_t'. So we set an interrupt flag in the signal handler and check it at various strategic locations in the code (by calling checkInterrupt()). Since this is unlikely to cover all cases (e.g., (semi-)infinite loops), sometimes SIGTERM may now be required to kill Nix.
2004-01-15 20:23:55 +00:00
void sigintHandler(int signo)
{
* True parallel builds. Nix can now run as many build jobs in parallel as possible (similar to GNU Make's `-j' switch). This is useful on SMP systems, but it is especially useful for doing builds on multiple machines. The idea is that a large derivation is initiated on one master machine, which then distributes sub-derivations to any number of slave machines. This should not happen synchronously or in lock-step, so the master must be capable of dealing with multiple parallel build jobs. We now have the infrastructure to support this. TODO: substitutes are currently broken.
2004-05-11 18:05:44 +00:00
if (!blockInt) {
_isInterrupted = 1;
blockInt = 1;
}
* Catch SIGINT to terminate cleanly when the user tries to interrupt Nix. This is to prevent Berkeley DB from becoming wedged. Unfortunately it is not possible to throw C++ exceptions from a signal handler. In fact, you can't do much of anything except change variables of type `volatile sig_atomic_t'. So we set an interrupt flag in the signal handler and check it at various strategic locations in the code (by calling checkInterrupt()). Since this is unlikely to cover all cases (e.g., (semi-)infinite loops), sometimes SIGTERM may now be required to kill Nix.
2004-01-15 20:23:55 +00:00
}
* nix-store, nix-instantiate: added an option `--add-root' to immediately add the result as a permanent GC root. This is the only way to prevent a race with the garbage collector. For instance, the old style ln -s $(nix-store -r $(nix-instantiate foo.nix)) \ /nix/var/nix/gcroots/result has two time windows in which the garbage collector can interfere (by GC'ing the derivation and the output, respectively). On the other hand, nix-store --add-root /nix/var/nix/gcroots/result -r \ $(nix-instantiate --add-root /nix/var/nix/gcroots/drv \ foo.nix) is safe. * nix-build: use `--add-root' to prevent GC races.
2005-02-01 12:36:25 +00:00
Path makeRootName(const Path & gcRoot, int & counter)
{
counter++;
if (counter == 1)
return gcRoot;
else
return (format("%1%-%2%") % gcRoot % counter).str();
}
void printGCWarning()
{
static bool warned = false;
if (!warned) {
printMsg(lvlInfo,
"warning: you did not specify `--add-root'; "
"the result might be removed by the garbage collector");
warned = true;
}
}
* Nix now has three different formats for the log information it writes to stderr: - `pretty': the old nested style (default) - `escapes': uses escape codes to indicate nesting and message level; can be processed using `log2xml' - `flat': just plain text, no nesting These can be set using `--log-type TYPE' or the NIX_LOG_TYPE environment variable.
2004-03-22 20:53:49 +00:00
void setLogType(string lt)
{
if (lt == "pretty") logType = ltPretty;
else if (lt == "escapes") logType = ltEscapes;
else if (lt == "flat") logType = ltFlat;
else throw UsageError("unknown log type");
}
* Disallow the Nix store or any of its parents from being symlinks. This is because the contents of these symlinks are not incorporated into the hashes of derivations, and could therefore cause a mismatch between the build system and the target system. E.g., if `/nix/store' is a symlink to `/data/nix/store', then a builder could expand this path and store the result. If on the target system `/nix/store' is not a symlink, or is a symlink that points somewhere else, we have a dangling pointer. The trigger for this change is that gcc 3.3.3 does exactly that (it applies realpath() to some files, such as libraries, which causes our impurity checker to bail out.) An annoying side-effect of this change is that it makes it harder to move the Nix store to a different file system. On Linux, bind mounts can be used instead of symlink for this purpose (e.g., `mount -o bind /data/nix/store /nix/store').
2004-03-27 17:58:04 +00:00
void checkStoreNotSymlink(Path path)
{
struct stat st;
while (path.size()) {
if (lstat(path.c_str(), &st))
throw SysError(format("getting status of `%1%'") % path);
if (S_ISLNK(st.st_mode))
throw Error(format(
"the path `%1%' is a symlink; "
"this is not allowed for the Nix store and its parent directories")
% path);
path = dirOf(path);
}
}
* Automatically remove temporary root files.
2005-01-31 21:20:59 +00:00
struct RemoveTempRoots
{
~RemoveTempRoots()
{
removeTempRoots();
}
};
* Renamed `normalise.cc' -> `build.cc', `storeexprs.cc' -> `derivations.cc', etc. * Store the SHA-256 content hash of store paths in the database after they have been built/added. This is so that we can check whether the store has been messed with (a la `rpm --verify'). * When registering path validity, verify that the closure property holds.
2005-01-19 16:39:47 +00:00
void initDerivationsHelpers();
* Drop ATmake / ATMatcher also in handling store expressions.
2004-10-29 11:22:49 +00:00
* Refactoring: move initialisation and argument parsing into a shared file.
2003-07-04 15:42:03 +00:00
/* Initialize and reorder arguments, then call the actual argument
processor. */
static void initAndRun(int argc, char * * argv)
{
* Allow the location of the store etc. to be specified using environment variables. * Started adding some automatic tests. * Do a `make check' when building RPMs.
2004-05-04 12:15:30 +00:00
string root = getEnv("NIX_ROOT");
if (root != "") {
if (chroot(root.c_str()) != 0)
* The environment variable NIX_ROOT can now be set to execute Nix in a chroot() environment. * A operation `--validpath' to register path validity. Useful for bootstrapping in a pure Nix environment. * Safety checks: ensure that files involved in store operations are in the store.
2004-02-14 21:44:18 +00:00
throw SysError(format("changing root to `%1%'") % root);
}
* Refactoring: move initialisation and argument parsing into a shared file.
2003-07-04 15:42:03 +00:00
/* Setup Nix paths. */
* Use NIX_STORE environment variable to locate the store (in addition to NIX_STORE_DIR) so that Nix invocations in builders in `make check' work correctly if the store doesn't exist.
2005-01-28 13:19:16 +00:00
nixStore = canonPath(getEnv("NIX_STORE_DIR", getEnv("NIX_STORE", NIX_STORE_DIR)));
* Start move towards SHA-256 hashes instead of MD5. * Start cleaning up unique store path generation (they weren't always unique; in particular the suffix ("-aterm-2.2", "-builder.sh") was not part of the hash, therefore changes to the suffix would cause multiple store objects with the same hash).
2005-01-14 13:51:38 +00:00
nixDataDir = canonPath(getEnv("NIX_DATA_DIR", NIX_DATA_DIR));
nixLogDir = canonPath(getEnv("NIX_LOG_DIR", NIX_LOG_DIR));
nixStateDir = canonPath(getEnv("NIX_STATE_DIR", NIX_STATE_DIR));
* Allow the location of the store etc. to be specified using environment variables. * Started adding some automatic tests. * Do a `make check' when building RPMs.
2004-05-04 12:15:30 +00:00
nixDBPath = getEnv("NIX_DB_DIR", nixStateDir + "/db");
* A GC setting `gc-keep-outputs' to specify whether output paths of derivations should be kept.
2005-02-01 22:07:48 +00:00
nixConfDir = canonPath(getEnv("NIX_CONF_DIR", NIX_CONF_DIR));
* Disallow the Nix store or any of its parents from being symlinks. This is because the contents of these symlinks are not incorporated into the hashes of derivations, and could therefore cause a mismatch between the build system and the target system. E.g., if `/nix/store' is a symlink to `/data/nix/store', then a builder could expand this path and store the result. If on the target system `/nix/store' is not a symlink, or is a symlink that points somewhere else, we have a dangling pointer. The trigger for this change is that gcc 3.3.3 does exactly that (it applies realpath() to some files, such as libraries, which causes our impurity checker to bail out.) An annoying side-effect of this change is that it makes it harder to move the Nix store to a different file system. On Linux, bind mounts can be used instead of symlink for this purpose (e.g., `mount -o bind /data/nix/store /nix/store').
2004-03-27 17:58:04 +00:00
/* Check that the store directory and its parent are not
symlinks. */
* Allow the location of the store etc. to be specified using environment variables. * Started adding some automatic tests. * Do a `make check' when building RPMs.
2004-05-04 12:15:30 +00:00
if (getEnv("NIX_IGNORE_SYMLINK_STORE") != "1")
checkStoreNotSymlink(nixStore);
* Refactoring: move initialisation and argument parsing into a shared file.
2003-07-04 15:42:03 +00:00
* Catch SIGINT to terminate cleanly when the user tries to interrupt Nix. This is to prevent Berkeley DB from becoming wedged. Unfortunately it is not possible to throw C++ exceptions from a signal handler. In fact, you can't do much of anything except change variables of type `volatile sig_atomic_t'. So we set an interrupt flag in the signal handler and check it at various strategic locations in the code (by calling checkInterrupt()). Since this is unlikely to cover all cases (e.g., (semi-)infinite loops), sometimes SIGTERM may now be required to kill Nix.
2004-01-15 20:23:55 +00:00
/* Catch SIGINT. */
struct sigaction act, oact;
act.sa_handler = sigintHandler;
sigfillset(&act.sa_mask);
act.sa_flags = 0;
if (sigaction(SIGINT, &act, &oact))
throw SysError("installing handler for SIGINT");
* The build hooks used to implement distributed builds can now be run in parallel. Hooks are more efficient: locks on output paths are only acquired when the hook says that it is willing to accept a build job. Hooks now work in two phases. First, they should first tell Nix whether they are willing to accept a job. Nix guarantuees that no two hooks will ever be in the first phase at the same time (this simplifies the implementation of hooks, since they don't have to perform locking (?)). Second, if they accept a job, they are then responsible for building it (on the remote system), and copying the result back. These can be run in parallel with other hooks and locally executed jobs. The implementation is a bit messy right now, though. * The directory `distributed' shows a (hacky) example of a hook that distributes build jobs over a set of machines listed in a configuration file.
2004-05-13 19:14:49 +00:00
/* Ignore SIGPIPE. */
act.sa_handler = SIG_IGN;
act.sa_flags = 0;
if (sigaction(SIGPIPE, &act, &oact))
throw SysError("ignoring SIGPIPE");
* Set the umask to known value (0022). This is important in a setuid installation, since the calling user may have a more fascist umask (say, 0077), which would cause the store objects built by Nix to be unreadable to anyone other than the Nix user.
2004-09-09 14:16:02 +00:00
/* There is no privacy in the Nix system ;-) At least not for
now. In particular, store objects should be readable by
everybody. This prevents nasty surprises when using a shared
store (with the setuid() hack). */
umask(0022);
* Nix now has three different formats for the log information it writes to stderr: - `pretty': the old nested style (default) - `escapes': uses escape codes to indicate nesting and message level; can be processed using `log2xml' - `flat': just plain text, no nesting These can be set using `--log-type TYPE' or the NIX_LOG_TYPE environment variable.
2004-03-22 20:53:49 +00:00
/* Process the NIX_LOG_TYPE environment variable. */
* Allow the location of the store etc. to be specified using environment variables. * Started adding some automatic tests. * Do a `make check' when building RPMs.
2004-05-04 12:15:30 +00:00
string lt = getEnv("NIX_LOG_TYPE");
if (lt != "") setLogType(lt);
* Nix now has three different formats for the log information it writes to stderr: - `pretty': the old nested style (default) - `escapes': uses escape codes to indicate nesting and message level; can be processed using `log2xml' - `flat': just plain text, no nesting These can be set using `--log-type TYPE' or the NIX_LOG_TYPE environment variable.
2004-03-22 20:53:49 +00:00
* Drop ATmake / ATMatcher also in handling store expressions.
2004-10-29 11:22:49 +00:00
/* ATerm stuff. !!! find a better place to put this */
* Renamed `normalise.cc' -> `build.cc', `storeexprs.cc' -> `derivations.cc', etc. * Store the SHA-256 content hash of store paths in the database after they have been built/added. This is so that we can check whether the store has been messed with (a la `rpm --verify'). * When registering path validity, verify that the closure property holds.
2005-01-19 16:39:47 +00:00
initDerivationsHelpers();
* Drop ATmake / ATMatcher also in handling store expressions.
2004-10-29 11:22:49 +00:00
* Refactoring: move initialisation and argument parsing into a shared file.
2003-07-04 15:42:03 +00:00
/* Put the arguments in a vector. */
* Help text for all (non-script) programs, so no more: $ nix-instantiate --help error: unknown flag `--help` Try `nix-instantiate --help' for more information. :-)
2003-12-01 15:55:05 +00:00
Strings args, remaining;
* Refactoring: move initialisation and argument parsing into a shared file.
2003-07-04 15:42:03 +00:00
while (argc--) args.push_back(*argv++);
args.erase(args.begin());
* Ignore options passed to the aterm library.
2003-11-03 18:21:53 +00:00
/* Expand compound dash options (i.e., `-qlf' -> `-q -l -f'), and
ignore options for the ATerm library. */
* Help text for all (non-script) programs, so no more: $ nix-instantiate --help error: unknown flag `--help` Try `nix-instantiate --help' for more information. :-)
2003-12-01 15:55:05 +00:00
for (Strings::iterator i = args.begin(); i != args.end(); ++i) {
string arg = *i;
if (string(arg, 0, 4) == "-at-") ;
* Ignore options passed to the aterm library.
2003-11-03 18:21:53 +00:00
else if (arg.length() > 2 && arg[0] == '-' && arg[1] != '-') {
* Help text for all (non-script) programs, so no more: $ nix-instantiate --help error: unknown flag `--help` Try `nix-instantiate --help' for more information. :-)
2003-12-01 15:55:05 +00:00
for (unsigned int j = 1; j < arg.length(); j++)
if (isalpha(arg[j]))
remaining.push_back((string) "-" + arg[j]);
* Debug levels. Use `--verbose / -v LEVEL' to display only messages up to the given verbosity levels. These currently are: lvlError = 0, lvlNormal = 5, lvlDebug = 10, lvlDebugMore = 15 although only lvlError and lvlDebug are actually used right now.
2003-07-24 08:53:43 +00:00
else {
* Help text for all (non-script) programs, so no more: $ nix-instantiate --help error: unknown flag `--help` Try `nix-instantiate --help' for more information. :-)
2003-12-01 15:55:05 +00:00
remaining.push_back(string(arg, j));
* Debug levels. Use `--verbose / -v LEVEL' to display only messages up to the given verbosity levels. These currently are: lvlError = 0, lvlNormal = 5, lvlDebug = 10, lvlDebugMore = 15 although only lvlError and lvlDebug are actually used right now.
2003-07-24 08:53:43 +00:00
break;
}
* Help text for all (non-script) programs, so no more: $ nix-instantiate --help error: unknown flag `--help` Try `nix-instantiate --help' for more information. :-)
2003-12-01 15:55:05 +00:00
} else remaining.push_back(arg);
* Refactoring: move initialisation and argument parsing into a shared file.
2003-07-04 15:42:03 +00:00
}
* Help text for all (non-script) programs, so no more: $ nix-instantiate --help error: unknown flag `--help` Try `nix-instantiate --help' for more information. :-)
2003-12-01 15:55:05 +00:00
args = remaining;
remaining.clear();
* Refactoring: move initialisation and argument parsing into a shared file.
2003-07-04 15:42:03 +00:00
* Help text for all (non-script) programs, so no more: $ nix-instantiate --help error: unknown flag `--help` Try `nix-instantiate --help' for more information. :-)
2003-12-01 15:55:05 +00:00
/* Process default options. */
for (Strings::iterator i = args.begin(); i != args.end(); ++i) {
string arg = *i;
if (arg == "--verbose" || arg == "-v")
verbosity = (Verbosity) ((int) verbosity + 1);
* Nix now has three different formats for the log information it writes to stderr: - `pretty': the old nested style (default) - `escapes': uses escape codes to indicate nesting and message level; can be processed using `log2xml' - `flat': just plain text, no nesting These can be set using `--log-type TYPE' or the NIX_LOG_TYPE environment variable.
2004-03-22 20:53:49 +00:00
else if (arg == "--log-type") {
++i;
if (i == args.end()) throw UsageError("`--log-type' requires an argument");
setLogType(*i);
* A switch `-j NUMBER' to set the maximum number of parallel jobs (0 = no limit). * Add missing file to distribution.
2004-05-12 14:20:32 +00:00
}
else if (arg == "--build-output" || arg == "-B")
* The default verbosity level of all Nix commands is now lvlInfo. * Builder output is written to standard error by default. * The option `-B' is gone. * The option `-Q' suppresses builder output. The result of this is that most Nix invocations shouldn't need any flags w.r.t. logging.
2004-08-18 12:19:06 +00:00
; /* !!! obsolete - remove eventually */
else if (arg == "--no-build-output" || arg == "-Q")
buildVerbosity = lvlVomit;
* Help text for all (non-script) programs, so no more: $ nix-instantiate --help error: unknown flag `--help` Try `nix-instantiate --help' for more information. :-)
2003-12-01 15:55:05 +00:00
else if (arg == "--help") {
printHelp();
return;
* A switch `-j NUMBER' to set the maximum number of parallel jobs (0 = no limit). * Add missing file to distribution.
2004-05-12 14:20:32 +00:00
}
else if (arg == "--version") {
* Sort `nix-env -q' output by derivation name. * `--version' flag for all commands. * Manual updates.
2004-02-02 10:51:54 +00:00
cout << format("%1% (Nix) %2%") % programId % NIX_VERSION << endl;
return;
* A switch `-j NUMBER' to set the maximum number of parallel jobs (0 = no limit). * Add missing file to distribution.
2004-05-12 14:20:32 +00:00
}
else if (arg == "--keep-failed" || arg == "-K")
* Help text for all (non-script) programs, so no more: $ nix-instantiate --help error: unknown flag `--help` Try `nix-instantiate --help' for more information. :-)
2003-12-01 15:55:05 +00:00
keepFailed = true;
* A flag `--keep-going / -k' to keep building goals if one fails, as much as possible. (This is similar to GNU Make's `-k' flag.) * Refactoring to implement this: previously we just bombed out when a build failed, but now we have to clean up. In particular this means that goals must be freed quickly --- they shouldn't hang around until the worker exits. So the worker now maintains weak pointers in order not to prevent garbage collection. * Documented the `-k' and `-j' flags.
2004-06-25 15:36:09 +00:00
else if (arg == "--keep-going" || arg == "-k")
keepGoing = true;
* Added a switch `--fallback'. From the manual: Whenever Nix attempts to realise a derivation for which a closure is already known, but this closure cannot be realised, fall back on normalising the derivation. The most common scenario in which this is useful is when we have registered substitutes in order to perform binary distribution from, say, a network repository. If the repository is down, the realisation of the derivation will fail. When this option is specified, Nix will build the derivation instead. Thus, binary installation falls back on a source installation. This option is not the default since it is generally not desirable for a transient failure in obtaining the substitutes to lead to a full build from source (with the related consumption of resources).
2004-06-28 10:42:57 +00:00
else if (arg == "--fallback")
tryFallback = true;
* A switch `-j NUMBER' to set the maximum number of parallel jobs (0 = no limit). * Add missing file to distribution.
2004-05-12 14:20:32 +00:00
else if (arg == "--max-jobs" || arg == "-j") {
++i;
if (i == args.end()) throw UsageError("`--max-jobs' requires an argument");
int n;
* Operation `--delete-generations' to delete generations of a profile. Arguments are either generation number, or `old' to delete all non-current generations. Typical use: $ nix-env --delete-generations old $ nix-collect-garbage * istringstream -> string2Int.
2004-09-10 13:32:08 +00:00
if (!string2Int(*i, n) || n < 0)
* A switch `-j NUMBER' to set the maximum number of parallel jobs (0 = no limit). * Add missing file to distribution.
2004-05-12 14:20:32 +00:00
throw UsageError(format("`--max-jobs' requires a non-negative integer"));
maxBuildJobs = n;
}
* Allow certain operations to succeed even if we don't have write permission to the Nix store or database. E.g., `nix-env -qa' will work, but `nix-env -qas' won't (the latter needs DB access). The option `--readonly-mode' forces this mode; otherwise, it's only activated when the database cannot be opened.
2004-10-25 14:38:23 +00:00
else if (arg == "--readonly-mode")
readOnlyMode = true;
* Help text for all (non-script) programs, so no more: $ nix-instantiate --help error: unknown flag `--help` Try `nix-instantiate --help' for more information. :-)
2003-12-01 15:55:05 +00:00
else remaining.push_back(arg);
}
* Automatically remove temporary root files.
2005-01-31 21:20:59 +00:00
/* Automatically clean up the temporary roots file when we
exit. */
* nix-store, nix-instantiate: added an option `--add-root' to immediately add the result as a permanent GC root. This is the only way to prevent a race with the garbage collector. For instance, the old style ln -s $(nix-store -r $(nix-instantiate foo.nix)) \ /nix/var/nix/gcroots/result has two time windows in which the garbage collector can interfere (by GC'ing the derivation and the output, respectively). On the other hand, nix-store --add-root /nix/var/nix/gcroots/result -r \ $(nix-instantiate --add-root /nix/var/nix/gcroots/drv \ foo.nix) is safe. * nix-build: use `--add-root' to prevent GC races.
2005-02-01 12:36:25 +00:00
RemoveTempRoots removeTempRoots; /* unused variable - don't remove */
* Automatically remove temporary root files.
2005-01-31 21:20:59 +00:00
* Help text for all (non-script) programs, so no more: $ nix-instantiate --help error: unknown flag `--help` Try `nix-instantiate --help' for more information. :-)
2003-12-01 15:55:05 +00:00
run(remaining);
* Refactoring: move initialisation and argument parsing into a shared file.
2003-07-04 15:42:03 +00:00
}
* A very dirty hack to make setuid installations a bit nicer to use. Previously there was the problem that all files read by nix-env etc. should be reachable and readable by the Nix user. So for instance building a Nix expression in your home directory meant that the home directory should have at least g+x or o+x permission so that the Nix user could reach the Nix expression. Now we just switch back to the original user just prior to reading sources and the like. The places where this happens are somewhat arbitrary, however. Any scope that has a live SwitchToOriginalUser object in it is executed as the original user. * Back out r1385. setreuid() sets the saved uid to the new real/effective uid, which prevents us from switching back to the original uid. setresuid() doesn't have this problem (although the manpage has a bug: specifying -1 for the saved uid doesn't leave it unchanged; an explicit value must be specified).
2004-09-09 21:12:53 +00:00
static bool haveSwitched;
static uid_t savedUid, nixUid;
static gid_t savedGid, nixGid;
#if HAVE_SETRESUID
#define _setuid(uid) setresuid(uid, uid, savedUid)
#define _setgid(gid) setresgid(gid, gid, savedGid)
* On systems that have the setresuid() and setresgid() system calls to set the real uid and gid to the effective uid and gid, the Nix binaries can be installed as owned by the Nix user and group instead of root, so no root involvement of any kind is necessary. Linux and FreeBSD have these functions.
2004-08-20 15:22:33 +00:00
#else
/* Only works properly when run by root. */
#define _setuid(uid) setuid(uid)
#define _setgid(gid) setgid(gid)
#endif
* A very dirty hack to make setuid installations a bit nicer to use. Previously there was the problem that all files read by nix-env etc. should be reachable and readable by the Nix user. So for instance building a Nix expression in your home directory meant that the home directory should have at least g+x or o+x permission so that the Nix user could reach the Nix expression. Now we just switch back to the original user just prior to reading sources and the like. The places where this happens are somewhat arbitrary, however. Any scope that has a live SwitchToOriginalUser object in it is executed as the original user. * Back out r1385. setreuid() sets the saved uid to the new real/effective uid, which prevents us from switching back to the original uid. setresuid() doesn't have this problem (although the manpage has a bug: specifying -1 for the saved uid doesn't leave it unchanged; an explicit value must be specified).
2004-09-09 21:12:53 +00:00
SwitchToOriginalUser::SwitchToOriginalUser()
{
#if SETUID_HACK && HAVE_SETRESUID
/* Temporarily switch the effective uid/gid back to the saved
uid/gid (which is the uid/gid of the user that executed the Nix
program; it's *not* the real uid/gid, since we changed that to
the Nix user in switchToNixUser()). */
if (haveSwitched) {
if (setuid(savedUid) == -1)
throw SysError(format("temporarily restoring uid to `%1%'") % savedUid);
if (setgid(savedGid) == -1)
throw SysError(format("temporarily restoring gid to `%1%'") % savedGid);
}
#endif
}
SwitchToOriginalUser::~SwitchToOriginalUser()
{
#if SETUID_HACK && HAVE_SETRESUID
/* Switch the effective uid/gid back to the Nix user. */
if (haveSwitched) {
if (setuid(nixUid) == -1)
throw SysError(format("restoring uid to `%1%'") % nixUid);
if (setgid(nixGid) == -1)
throw SysError(format("restoring gid to `%1%'") % nixGid);
}
#endif
}
* Setuid support for sharing a Nix installation between multiple users. If the configure flag `--enable-setuid' is used, the Nix programs nix-env, nix-store, etc. are installed with the setuid bit turned on so that they are executed as the user and group specified by `--with-nix-user=USER' and `--with-nix-group=GROUP', respectively (with defaults `nix' and `nix'). The setuid programs drop all special privileges if they are executed by a user who is not a member of the Nix group. The setuid feature is a quick hack to enable sharing of a Nix installation between users who trust each other. It is not generally secure, since any user in the Nix group can modify (by building an appropriate derivation) any object in the store, and for instance inject trojans into binaries used by other users. The setuid programs are owned by root, not the Nix user. This is because on Unix normal users cannot change the real uid, only the effective uid. Many programs don't work properly when the real uid differs from the effective uid. For instance, Perl will turn on taint mode. However, the setuid programs drop all root privileges immediately, changing all uids and gids to the Nix user and group.
2004-08-20 14:49:05 +00:00
void switchToNixUser()
{
#if SETUID_HACK
* Unbreak programs that are not setuid (such as nix-hash).
2004-08-20 15:31:46 +00:00
/* Don't do anything if this is not a setuid binary. */
* The gid should also match.
2004-08-20 15:47:58 +00:00
if (getuid() == geteuid() && getgid() == getegid()) return;
* Unbreak programs that are not setuid (such as nix-hash).
2004-08-20 15:31:46 +00:00
* Setuid support for sharing a Nix installation between multiple users. If the configure flag `--enable-setuid' is used, the Nix programs nix-env, nix-store, etc. are installed with the setuid bit turned on so that they are executed as the user and group specified by `--with-nix-user=USER' and `--with-nix-group=GROUP', respectively (with defaults `nix' and `nix'). The setuid programs drop all special privileges if they are executed by a user who is not a member of the Nix group. The setuid feature is a quick hack to enable sharing of a Nix installation between users who trust each other. It is not generally secure, since any user in the Nix group can modify (by building an appropriate derivation) any object in the store, and for instance inject trojans into binaries used by other users. The setuid programs are owned by root, not the Nix user. This is because on Unix normal users cannot change the real uid, only the effective uid. Many programs don't work properly when the real uid differs from the effective uid. For instance, Perl will turn on taint mode. However, the setuid programs drop all root privileges immediately, changing all uids and gids to the Nix user and group.
2004-08-20 14:49:05 +00:00
/* Here we set the uid and gid to the Nix user and group,
respectively, IF the current (real) user is a member of the Nix
group. Otherwise we just drop all privileges. */
/* Lookup the Nix gid. */
struct group * gr = getgrnam(NIX_GROUP);
if (!gr) {
cerr << format("missing group `%1%'\n") % NIX_GROUP;
exit(1);
}
/* Get the supplementary group IDs for the current user. */
int maxGids = 512, nrGids;
gid_t gids[maxGids];
if ((nrGids = getgroups(maxGids, gids)) == -1) {
cerr << format("unable to query gids\n");
exit(1);
}
* On systems that have the setresuid() and setresgid() system calls to set the real uid and gid to the effective uid and gid, the Nix binaries can be installed as owned by the Nix user and group instead of root, so no root involvement of any kind is necessary. Linux and FreeBSD have these functions.
2004-08-20 15:22:33 +00:00
/* !!! Apparently it is unspecified whether getgroups() includes
the effective gid. In that case the following test is always
true *if* the program is installed setgid (which we do when we
* A very dirty hack to make setuid installations a bit nicer to use. Previously there was the problem that all files read by nix-env etc. should be reachable and readable by the Nix user. So for instance building a Nix expression in your home directory meant that the home directory should have at least g+x or o+x permission so that the Nix user could reach the Nix expression. Now we just switch back to the original user just prior to reading sources and the like. The places where this happens are somewhat arbitrary, however. Any scope that has a live SwitchToOriginalUser object in it is executed as the original user. * Back out r1385. setreuid() sets the saved uid to the new real/effective uid, which prevents us from switching back to the original uid. setresuid() doesn't have this problem (although the manpage has a bug: specifying -1 for the saved uid doesn't leave it unchanged; an explicit value must be specified).
2004-09-09 21:12:53 +00:00
have setresuid()). On Linux this doesn't appear to be the
* On systems that have the setresuid() and setresgid() system calls to set the real uid and gid to the effective uid and gid, the Nix binaries can be installed as owned by the Nix user and group instead of root, so no root involvement of any kind is necessary. Linux and FreeBSD have these functions.
2004-08-20 15:22:33 +00:00
case, but we should switch to the real gid before doing this
test, and then switch back to the saved gid. */
* Setuid support for sharing a Nix installation between multiple users. If the configure flag `--enable-setuid' is used, the Nix programs nix-env, nix-store, etc. are installed with the setuid bit turned on so that they are executed as the user and group specified by `--with-nix-user=USER' and `--with-nix-group=GROUP', respectively (with defaults `nix' and `nix'). The setuid programs drop all special privileges if they are executed by a user who is not a member of the Nix group. The setuid feature is a quick hack to enable sharing of a Nix installation between users who trust each other. It is not generally secure, since any user in the Nix group can modify (by building an appropriate derivation) any object in the store, and for instance inject trojans into binaries used by other users. The setuid programs are owned by root, not the Nix user. This is because on Unix normal users cannot change the real uid, only the effective uid. Many programs don't work properly when the real uid differs from the effective uid. For instance, Perl will turn on taint mode. However, the setuid programs drop all root privileges immediately, changing all uids and gids to the Nix user and group.
2004-08-20 14:49:05 +00:00
/* Check that the current user is a member of the Nix group. */
bool found = false;
for (int i = 0; i < nrGids; ++i)
if (gids[i] == gr->gr_gid) {
found = true;
break;
}
if (!found) {
/* Not in the Nix group - drop all root/Nix privileges. */
* On systems that have the setresuid() and setresgid() system calls to set the real uid and gid to the effective uid and gid, the Nix binaries can be installed as owned by the Nix user and group instead of root, so no root involvement of any kind is necessary. Linux and FreeBSD have these functions.
2004-08-20 15:22:33 +00:00
_setgid(getgid());
_setuid(getuid());
* Setuid support for sharing a Nix installation between multiple users. If the configure flag `--enable-setuid' is used, the Nix programs nix-env, nix-store, etc. are installed with the setuid bit turned on so that they are executed as the user and group specified by `--with-nix-user=USER' and `--with-nix-group=GROUP', respectively (with defaults `nix' and `nix'). The setuid programs drop all special privileges if they are executed by a user who is not a member of the Nix group. The setuid feature is a quick hack to enable sharing of a Nix installation between users who trust each other. It is not generally secure, since any user in the Nix group can modify (by building an appropriate derivation) any object in the store, and for instance inject trojans into binaries used by other users. The setuid programs are owned by root, not the Nix user. This is because on Unix normal users cannot change the real uid, only the effective uid. Many programs don't work properly when the real uid differs from the effective uid. For instance, Perl will turn on taint mode. However, the setuid programs drop all root privileges immediately, changing all uids and gids to the Nix user and group.
2004-08-20 14:49:05 +00:00
return;
}
* A very dirty hack to make setuid installations a bit nicer to use. Previously there was the problem that all files read by nix-env etc. should be reachable and readable by the Nix user. So for instance building a Nix expression in your home directory meant that the home directory should have at least g+x or o+x permission so that the Nix user could reach the Nix expression. Now we just switch back to the original user just prior to reading sources and the like. The places where this happens are somewhat arbitrary, however. Any scope that has a live SwitchToOriginalUser object in it is executed as the original user. * Back out r1385. setreuid() sets the saved uid to the new real/effective uid, which prevents us from switching back to the original uid. setresuid() doesn't have this problem (although the manpage has a bug: specifying -1 for the saved uid doesn't leave it unchanged; an explicit value must be specified).
2004-09-09 21:12:53 +00:00
savedUid = getuid();
savedGid = getgid();
* Setuid support for sharing a Nix installation between multiple users. If the configure flag `--enable-setuid' is used, the Nix programs nix-env, nix-store, etc. are installed with the setuid bit turned on so that they are executed as the user and group specified by `--with-nix-user=USER' and `--with-nix-group=GROUP', respectively (with defaults `nix' and `nix'). The setuid programs drop all special privileges if they are executed by a user who is not a member of the Nix group. The setuid feature is a quick hack to enable sharing of a Nix installation between users who trust each other. It is not generally secure, since any user in the Nix group can modify (by building an appropriate derivation) any object in the store, and for instance inject trojans into binaries used by other users. The setuid programs are owned by root, not the Nix user. This is because on Unix normal users cannot change the real uid, only the effective uid. Many programs don't work properly when the real uid differs from the effective uid. For instance, Perl will turn on taint mode. However, the setuid programs drop all root privileges immediately, changing all uids and gids to the Nix user and group.
2004-08-20 14:49:05 +00:00
/* Set the real, effective and saved gids to gr->gr_gid. Also
make very sure that this succeeded. We switch the gid first
because we cannot do it after we have dropped root uid. */
* A very dirty hack to make setuid installations a bit nicer to use. Previously there was the problem that all files read by nix-env etc. should be reachable and readable by the Nix user. So for instance building a Nix expression in your home directory meant that the home directory should have at least g+x or o+x permission so that the Nix user could reach the Nix expression. Now we just switch back to the original user just prior to reading sources and the like. The places where this happens are somewhat arbitrary, however. Any scope that has a live SwitchToOriginalUser object in it is executed as the original user. * Back out r1385. setreuid() sets the saved uid to the new real/effective uid, which prevents us from switching back to the original uid. setresuid() doesn't have this problem (although the manpage has a bug: specifying -1 for the saved uid doesn't leave it unchanged; an explicit value must be specified).
2004-09-09 21:12:53 +00:00
nixGid = gr->gr_gid;
if (_setgid(nixGid) != 0 || getgid() != nixGid || getegid() != nixGid) {
* Setuid support for sharing a Nix installation between multiple users. If the configure flag `--enable-setuid' is used, the Nix programs nix-env, nix-store, etc. are installed with the setuid bit turned on so that they are executed as the user and group specified by `--with-nix-user=USER' and `--with-nix-group=GROUP', respectively (with defaults `nix' and `nix'). The setuid programs drop all special privileges if they are executed by a user who is not a member of the Nix group. The setuid feature is a quick hack to enable sharing of a Nix installation between users who trust each other. It is not generally secure, since any user in the Nix group can modify (by building an appropriate derivation) any object in the store, and for instance inject trojans into binaries used by other users. The setuid programs are owned by root, not the Nix user. This is because on Unix normal users cannot change the real uid, only the effective uid. Many programs don't work properly when the real uid differs from the effective uid. For instance, Perl will turn on taint mode. However, the setuid programs drop all root privileges immediately, changing all uids and gids to the Nix user and group.
2004-08-20 14:49:05 +00:00
cerr << format("unable to set gid to `%1%'\n") % NIX_GROUP;
exit(1);
}
/* Lookup the Nix uid. */
struct passwd * pw = getpwnam(NIX_USER);
if (!pw) {
cerr << format("missing user `%1%'\n") % NIX_USER;
exit(1);
}
/* This will drop all root privileges, setting the real, effective
and saved uids to pw->pw_uid. Also make very sure that this
succeeded.*/
* A very dirty hack to make setuid installations a bit nicer to use. Previously there was the problem that all files read by nix-env etc. should be reachable and readable by the Nix user. So for instance building a Nix expression in your home directory meant that the home directory should have at least g+x or o+x permission so that the Nix user could reach the Nix expression. Now we just switch back to the original user just prior to reading sources and the like. The places where this happens are somewhat arbitrary, however. Any scope that has a live SwitchToOriginalUser object in it is executed as the original user. * Back out r1385. setreuid() sets the saved uid to the new real/effective uid, which prevents us from switching back to the original uid. setresuid() doesn't have this problem (although the manpage has a bug: specifying -1 for the saved uid doesn't leave it unchanged; an explicit value must be specified).
2004-09-09 21:12:53 +00:00
nixUid = pw->pw_uid;
if (_setuid(nixUid) != 0 || getuid() != nixUid || geteuid() != nixUid) {
* Setuid support for sharing a Nix installation between multiple users. If the configure flag `--enable-setuid' is used, the Nix programs nix-env, nix-store, etc. are installed with the setuid bit turned on so that they are executed as the user and group specified by `--with-nix-user=USER' and `--with-nix-group=GROUP', respectively (with defaults `nix' and `nix'). The setuid programs drop all special privileges if they are executed by a user who is not a member of the Nix group. The setuid feature is a quick hack to enable sharing of a Nix installation between users who trust each other. It is not generally secure, since any user in the Nix group can modify (by building an appropriate derivation) any object in the store, and for instance inject trojans into binaries used by other users. The setuid programs are owned by root, not the Nix user. This is because on Unix normal users cannot change the real uid, only the effective uid. Many programs don't work properly when the real uid differs from the effective uid. For instance, Perl will turn on taint mode. However, the setuid programs drop all root privileges immediately, changing all uids and gids to the Nix user and group.
2004-08-20 14:49:05 +00:00
cerr << format("unable to set uid to `%1%'\n") % NIX_USER;
exit(1);
}
* A very dirty hack to make setuid installations a bit nicer to use. Previously there was the problem that all files read by nix-env etc. should be reachable and readable by the Nix user. So for instance building a Nix expression in your home directory meant that the home directory should have at least g+x or o+x permission so that the Nix user could reach the Nix expression. Now we just switch back to the original user just prior to reading sources and the like. The places where this happens are somewhat arbitrary, however. Any scope that has a live SwitchToOriginalUser object in it is executed as the original user. * Back out r1385. setreuid() sets the saved uid to the new real/effective uid, which prevents us from switching back to the original uid. setresuid() doesn't have this problem (although the manpage has a bug: specifying -1 for the saved uid doesn't leave it unchanged; an explicit value must be specified).
2004-09-09 21:12:53 +00:00
haveSwitched = true;
* Setuid support for sharing a Nix installation between multiple users. If the configure flag `--enable-setuid' is used, the Nix programs nix-env, nix-store, etc. are installed with the setuid bit turned on so that they are executed as the user and group specified by `--with-nix-user=USER' and `--with-nix-group=GROUP', respectively (with defaults `nix' and `nix'). The setuid programs drop all special privileges if they are executed by a user who is not a member of the Nix group. The setuid feature is a quick hack to enable sharing of a Nix installation between users who trust each other. It is not generally secure, since any user in the Nix group can modify (by building an appropriate derivation) any object in the store, and for instance inject trojans into binaries used by other users. The setuid programs are owned by root, not the Nix user. This is because on Unix normal users cannot change the real uid, only the effective uid. Many programs don't work properly when the real uid differs from the effective uid. For instance, Perl will turn on taint mode. However, the setuid programs drop all root privileges immediately, changing all uids and gids to the Nix user and group.
2004-08-20 14:49:05 +00:00
#endif
}
* Substitutes and nix-pull now work again. * Fixed a segfault caused by the buffering of stderr. * Fix now allows the specification of the full output path. This should be used with great care, since it by-passes the normal hash generation. * Incremented the version number to 0.4 (prerelease).
2003-10-16 16:29:57 +00:00
static char buf[1024];
* Refactoring: move initialisation and argument parsing into a shared file.
2003-07-04 15:42:03 +00:00
int main(int argc, char * * argv)
{
* Setuid support for sharing a Nix installation between multiple users. If the configure flag `--enable-setuid' is used, the Nix programs nix-env, nix-store, etc. are installed with the setuid bit turned on so that they are executed as the user and group specified by `--with-nix-user=USER' and `--with-nix-group=GROUP', respectively (with defaults `nix' and `nix'). The setuid programs drop all special privileges if they are executed by a user who is not a member of the Nix group. The setuid feature is a quick hack to enable sharing of a Nix installation between users who trust each other. It is not generally secure, since any user in the Nix group can modify (by building an appropriate derivation) any object in the store, and for instance inject trojans into binaries used by other users. The setuid programs are owned by root, not the Nix user. This is because on Unix normal users cannot change the real uid, only the effective uid. Many programs don't work properly when the real uid differs from the effective uid. For instance, Perl will turn on taint mode. However, the setuid programs drop all root privileges immediately, changing all uids and gids to the Nix user and group.
2004-08-20 14:49:05 +00:00
/* If we are setuid root, we have to get rid of the excess
privileges ASAP. */
switchToNixUser();
* Refactoring: move initialisation and argument parsing into a shared file.
2003-07-04 15:42:03 +00:00
/* ATerm setup. */
ATerm bottomOfStack;
ATinit(argc, argv, &bottomOfStack);
* Enable buffering of stderr in C++.
2003-10-16 11:55:37 +00:00
/* Turn on buffering for cerr. */
* GCC 2.95 compatibility.
2003-12-22 16:40:46 +00:00
#if HAVE_PUBSETBUF
* Enable buffering of stderr in C++.
2003-10-16 11:55:37 +00:00
cerr.rdbuf()->pubsetbuf(buf, sizeof(buf));
* GCC 2.95 compatibility.
2003-12-22 16:40:46 +00:00
#endif
* Enable buffering of stderr in C++.
2003-10-16 11:55:37 +00:00
* Refactoring: move initialisation and argument parsing into a shared file.
2003-07-04 15:42:03 +00:00
try {
* True parallel builds. Nix can now run as many build jobs in parallel as possible (similar to GNU Make's `-j' switch). This is useful on SMP systems, but it is especially useful for doing builds on multiple machines. The idea is that a large derivation is initiated on one master machine, which then distributes sub-derivations to any number of slave machines. This should not happen synchronously or in lock-step, so the master must be capable of dealing with multiple parallel build jobs. We now have the infrastructure to support this. TODO: substitutes are currently broken.
2004-05-11 18:05:44 +00:00
try {
initAndRun(argc, argv);
} catch (...) {
/* Subtle: we have to make sure that any `interrupted'
condition is discharged before we reach printMsg()
below, since otherwise it will throw an (uncaught)
exception. */
blockInt = 1; /* ignore further SIGINTs */
_isInterrupted = 0;
throw;
}
* Refactoring: move initialisation and argument parsing into a shared file.
2003-07-04 15:42:03 +00:00
} catch (UsageError & e) {
* Turned the msg() and debug() functions into macros, since they turned out to be a huge performance bottleneck (the text to printed would always be evaluated, even when it was above the verbosity level). This reduces fix-ng execution time by over 50%. gprof(1) is very useful. :-)
2003-11-09 10:35:45 +00:00
printMsg(lvlError,
* Debug levels. Use `--verbose / -v LEVEL' to display only messages up to the given verbosity levels. These currently are: lvlError = 0, lvlNormal = 5, lvlDebug = 10, lvlDebugMore = 15 although only lvlError and lvlDebug are actually used right now.
2003-07-24 08:53:43 +00:00
format(
"error: %1%\n"
"Try `%2% --help' for more information.")
% e.what() % programId);
* Refactoring: move initialisation and argument parsing into a shared file.
2003-07-04 15:42:03 +00:00
return 1;
* Make dbRefs a mapping from Hash to [Path].
2003-07-07 09:25:26 +00:00
} catch (Error & e) {
* Turned the msg() and debug() functions into macros, since they turned out to be a huge performance bottleneck (the text to printed would always be evaluated, even when it was above the verbosity level). This reduces fix-ng execution time by over 50%. gprof(1) is very useful. :-)
2003-11-09 10:35:45 +00:00
printMsg(lvlError, format("error: %1%") % e.msg());
* Make dbRefs a mapping from Hash to [Path].
2003-07-07 09:25:26 +00:00
return 1;
* Refactoring: move initialisation and argument parsing into a shared file.
2003-07-04 15:42:03 +00:00
} catch (exception & e) {
* Turned the msg() and debug() functions into macros, since they turned out to be a huge performance bottleneck (the text to printed would always be evaluated, even when it was above the verbosity level). This reduces fix-ng execution time by over 50%. gprof(1) is very useful. :-)
2003-11-09 10:35:45 +00:00
printMsg(lvlError, format("error: %1%") % e.what());
* Refactoring: move initialisation and argument parsing into a shared file.
2003-07-04 15:42:03 +00:00
return 1;
}
return 0;
}
Reference in a new issue Copy permalink