Allow daemon users to override ‘binary-caches’
For security reasons, daemon users can only specify caches that appear in the ‘binary-caches’ and ‘trusted-binary-caches’ options in nix.conf.
This commit is contained in:
parent
eb7849e3a2
commit
4d1b64f118
|
@ -329,6 +329,19 @@ build-use-chroot = /dev /proc /bin</programlisting>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
|
||||||
|
<varlistentry><term><literal>trusted-binary-caches</literal></term>
|
||||||
|
|
||||||
|
<listitem><para>A list of URLs of binary caches, separated by
|
||||||
|
whitespace. These are not used by default, but can be enabled by
|
||||||
|
users of the Nix daemon by specifying <literal>--option
|
||||||
|
binary-caches <replaceable>urls</replaceable></literal> on the
|
||||||
|
command line. Daemon users are only allowed to pass a subset of
|
||||||
|
the URLs listed in <literal>binary-caches</literal> and
|
||||||
|
<literal>trusted-binary-caches</literal>.</para></listitem>
|
||||||
|
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
|
||||||
<varlistentry><term><literal>binary-caches-parallel-connections</literal></term>
|
<varlistentry><term><literal>binary-caches-parallel-connections</literal></term>
|
||||||
|
|
||||||
<listitem><para>The maximum number of parallel HTTP connections
|
<listitem><para>The maximum number of parallel HTTP connections
|
||||||
|
|
|
@ -8,6 +8,7 @@ use Nix::Store;
|
||||||
use Nix::Utils;
|
use Nix::Utils;
|
||||||
use WWW::Curl::Easy;
|
use WWW::Curl::Easy;
|
||||||
use WWW::Curl::Multi;
|
use WWW::Curl::Multi;
|
||||||
|
use List::MoreUtils qw(any);
|
||||||
use strict;
|
use strict;
|
||||||
|
|
||||||
|
|
||||||
|
@ -166,10 +167,33 @@ sub getAvailableCaches {
|
||||||
return if $gotCaches;
|
return if $gotCaches;
|
||||||
$gotCaches = 1;
|
$gotCaches = 1;
|
||||||
|
|
||||||
my @urls = map { s/\/+$//; $_ } split(/ /,
|
sub strToList {
|
||||||
$Nix::Config::config{"binary-caches"}
|
my ($s) = @_;
|
||||||
|
return map { s/\/+$//; $_ } split(/ /, $s);
|
||||||
|
}
|
||||||
|
|
||||||
|
my @urls = strToList
|
||||||
|
($Nix::Config::config{"binary-caches"}
|
||||||
// ($Nix::Config::storeDir eq "/nix/store" ? "http://nixos.org/binary-cache" : ""));
|
// ($Nix::Config::storeDir eq "/nix/store" ? "http://nixos.org/binary-cache" : ""));
|
||||||
|
|
||||||
|
# Allow Nix daemon users to override the binary caches to a subset
|
||||||
|
# of those listed in the config file. Note that ‘untrusted-*’
|
||||||
|
# denotes options passed by the client.
|
||||||
|
if (defined $Nix::Config::config{"untrusted-binary-caches"}) {
|
||||||
|
my @untrustedUrls = strToList $Nix::Config::config{"untrusted-binary-caches"};
|
||||||
|
my @trustedUrls = (@urls, strToList($Nix::Config::config{"trusted-binary-caches"} // ""));
|
||||||
|
@urls = ();
|
||||||
|
foreach my $url (@untrustedUrls) {
|
||||||
|
if (any { $url eq $_ } @trustedUrls) {
|
||||||
|
push @urls, $url;
|
||||||
|
} else {
|
||||||
|
# FIXME: should die here, but we currently can't
|
||||||
|
# deliver error messages to clients.
|
||||||
|
warn "warning: binary cache ‘$url’ is not trusted (please add it to ‘trusted-binary-caches’ in $Nix::Config::confDir/nix.conf)\n";
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
foreach my $url (@urls) {
|
foreach my $url (@urls) {
|
||||||
|
|
||||||
# FIXME: not atomic.
|
# FIXME: not atomic.
|
||||||
|
|
Loading…
Reference in a new issue