Merge pull request #3136 from NixOS/no-world-writable

Remove world-writability from {profiles,gcroots}/per-user
This commit is contained in:
Eelco Dolstra 2019-10-09 23:35:45 +02:00 committed by GitHub
commit 94dfb6b1fe
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
16 changed files with 82 additions and 132 deletions

View file

@ -106,7 +106,7 @@ chmod 1775 $RPM_BUILD_ROOT/nix/store
for d in profiles gcroots; for d in profiles gcroots;
do do
mkdir -p $RPM_BUILD_ROOT/nix/var/nix/$d/per-user mkdir -p $RPM_BUILD_ROOT/nix/var/nix/$d/per-user
chmod 1777 $RPM_BUILD_ROOT/nix/var/nix/$d/per-user chmod 755 $RPM_BUILD_ROOT/nix/var/nix/$d/per-user
done done
# fix permission of nix profile # fix permission of nix profile

View file

@ -437,24 +437,17 @@ create_build_users() {
} }
create_directories() { create_directories() {
# FIXME: remove all of this because it duplicates LocalStore::LocalStore().
_sudo "to make the basic directory structure of Nix (part 1)" \ _sudo "to make the basic directory structure of Nix (part 1)" \
mkdir -pv -m 0755 /nix /nix/var /nix/var/log /nix/var/log/nix /nix/var/log/nix/drvs /nix/var/nix{,/db,/gcroots,/profiles,/temproots,/userpool} mkdir -pv -m 0755 /nix /nix/var /nix/var/log /nix/var/log/nix /nix/var/log/nix/drvs /nix/var/nix{,/db,/gcroots,/profiles,/temproots,/userpool} /nix/var/nix/{gcroots,profiles}/per-user
_sudo "to make the basic directory structure of Nix (part 2)" \ _sudo "to make the basic directory structure of Nix (part 2)" \
mkdir -pv -m 1777 /nix/var/nix/{gcroots,profiles}/per-user
_sudo "to make the basic directory structure of Nix (part 3)" \
mkdir -pv -m 1775 /nix/store mkdir -pv -m 1775 /nix/store
_sudo "to make the basic directory structure of Nix (part 4)" \ _sudo "to make the basic directory structure of Nix (part 3)" \
chgrp "$NIX_BUILD_GROUP_NAME" /nix/store chgrp "$NIX_BUILD_GROUP_NAME" /nix/store
_sudo "to set up the root user's profile (part 1)" \
mkdir -pv -m 0755 /nix/var/nix/profiles/per-user/root
_sudo "to set up the root user's profile (part 2)" \
mkdir -pv -m 0700 "$ROOT_HOME/.nix-defexpr"
_sudo "to place the default nix daemon configuration (part 1)" \ _sudo "to place the default nix daemon configuration (part 1)" \
mkdir -pv -m 0555 /etc/nix mkdir -pv -m 0555 /etc/nix
} }
@ -497,7 +490,7 @@ EOF
We will: We will:
- make sure your computer doesn't already have Nix files - make sure your computer doesn't already have Nix files
(if it does, I will tell you how to clean them up.) (if it does, I will tell you how to clean them up.)
- create local users (see the list above for the users we'll make) - create local users (see the list above for the users we'll make)
- create a local group ($NIX_BUILD_GROUP_NAME) - create a local group ($NIX_BUILD_GROUP_NAME)
- install Nix in to $NIX_ROOT - install Nix in to $NIX_ROOT

View file

@ -5,45 +5,6 @@ __ETC_PROFILE_NIX_SOURCED=1
export NIX_USER_PROFILE_DIR="@localstatedir@/nix/profiles/per-user/$USER" export NIX_USER_PROFILE_DIR="@localstatedir@/nix/profiles/per-user/$USER"
export NIX_PROFILES="@localstatedir@/nix/profiles/default $HOME/.nix-profile" export NIX_PROFILES="@localstatedir@/nix/profiles/default $HOME/.nix-profile"
# Set up the per-user profile.
mkdir -m 0755 -p $NIX_USER_PROFILE_DIR
if ! test -O "$NIX_USER_PROFILE_DIR"; then
echo "WARNING: bad ownership on $NIX_USER_PROFILE_DIR" >&2
fi
if test -w $HOME; then
if ! test -L $HOME/.nix-profile; then
if test "$USER" != root; then
ln -s $NIX_USER_PROFILE_DIR/profile $HOME/.nix-profile
else
# Root installs in the system-wide profile by default.
ln -s @localstatedir@/nix/profiles/default $HOME/.nix-profile
fi
fi
# Subscribe the root user to the NixOS channel by default.
if [ "$USER" = root -a ! -e $HOME/.nix-channels ]; then
echo "https://nixos.org/channels/nixpkgs-unstable nixpkgs" > $HOME/.nix-channels
fi
# Create the per-user garbage collector roots directory.
NIX_USER_GCROOTS_DIR=@localstatedir@/nix/gcroots/per-user/$USER
mkdir -m 0755 -p $NIX_USER_GCROOTS_DIR
if ! test -O "$NIX_USER_GCROOTS_DIR"; then
echo "WARNING: bad ownership on $NIX_USER_GCROOTS_DIR" >&2
fi
# Set up a default Nix expression from which to install stuff.
if [ ! -e $HOME/.nix-defexpr -o -L $HOME/.nix-defexpr ]; then
rm -f $HOME/.nix-defexpr
mkdir -p $HOME/.nix-defexpr
if [ "$USER" != root ]; then
ln -s @localstatedir@/nix/profiles/per-user/root/channels $HOME/.nix-defexpr/channels_root
fi
fi
fi
# Set $NIX_SSL_CERT_FILE so that Nixpkgs applications like curl work. # Set $NIX_SSL_CERT_FILE so that Nixpkgs applications like curl work.
if [ ! -z "${NIX_SSL_CERT_FILE:-}" ]; then if [ ! -z "${NIX_SSL_CERT_FILE:-}" ]; then
: # Allow users to override the NIX_SSL_CERT_FILE : # Allow users to override the NIX_SSL_CERT_FILE

View file

@ -1,6 +1,4 @@
if [ -n "$HOME" ] && [ -n "$USER" ]; then if [ -n "$HOME" ] && [ -n "$USER" ]; then
__savedpath="$PATH"
export PATH=@coreutils@
# Set up the per-user profile. # Set up the per-user profile.
# This part should be kept in sync with nixpkgs:nixos/modules/programs/shell.nix # This part should be kept in sync with nixpkgs:nixos/modules/programs/shell.nix
@ -9,48 +7,6 @@ if [ -n "$HOME" ] && [ -n "$USER" ]; then
NIX_USER_PROFILE_DIR=@localstatedir@/nix/profiles/per-user/$USER NIX_USER_PROFILE_DIR=@localstatedir@/nix/profiles/per-user/$USER
mkdir -m 0755 -p "$NIX_USER_PROFILE_DIR"
if [ "$(stat --printf '%u' "$NIX_USER_PROFILE_DIR")" != "$(id -u)" ]; then
echo "Nix: WARNING: bad ownership on "$NIX_USER_PROFILE_DIR", should be $(id -u)" >&2
fi
if [ -w "$HOME" ]; then
if ! [ -L "$NIX_LINK" ]; then
echo "Nix: creating $NIX_LINK" >&2
if [ "$USER" != root ]; then
if ! ln -s "$NIX_USER_PROFILE_DIR"/profile "$NIX_LINK"; then
echo "Nix: WARNING: could not create $NIX_LINK -> $NIX_USER_PROFILE_DIR/profile" >&2
fi
else
# Root installs in the system-wide profile by default.
ln -s @localstatedir@/nix/profiles/default "$NIX_LINK"
fi
fi
# Subscribe the user to the unstable Nixpkgs channel by default.
if [ ! -e "$HOME/.nix-channels" ]; then
echo "https://nixos.org/channels/nixpkgs-unstable nixpkgs" > "$HOME/.nix-channels"
fi
# Create the per-user garbage collector roots directory.
__user_gcroots=@localstatedir@/nix/gcroots/per-user/"$USER"
mkdir -m 0755 -p "$__user_gcroots"
if [ "$(stat --printf '%u' "$__user_gcroots")" != "$(id -u)" ]; then
echo "Nix: WARNING: bad ownership on $__user_gcroots, should be $(id -u)" >&2
fi
unset __user_gcroots
# Set up a default Nix expression from which to install stuff.
__nix_defexpr="$HOME"/.nix-defexpr
[ -L "$__nix_defexpr" ] && rm -f "$__nix_defexpr"
mkdir -m 0755 -p "$__nix_defexpr"
if [ "$USER" != root ] && [ ! -L "$__nix_defexpr"/channels_root ]; then
ln -s @localstatedir@/nix/profiles/per-user/root/channels "$__nix_defexpr"/channels_root
fi
unset __nix_defexpr
fi
# Append ~/.nix-defexpr/channels to $NIX_PATH so that <nixpkgs> # Append ~/.nix-defexpr/channels to $NIX_PATH so that <nixpkgs>
# paths work when the user has fetched the Nixpkgs channel. # paths work when the user has fetched the Nixpkgs channel.
export NIX_PATH=${NIX_PATH:+$NIX_PATH:}$HOME/.nix-defexpr/channels export NIX_PATH=${NIX_PATH:+$NIX_PATH:}$HOME/.nix-defexpr/channels
@ -78,6 +34,6 @@ if [ -n "$HOME" ] && [ -n "$USER" ]; then
export MANPATH="$NIX_LINK/share/man:$MANPATH" export MANPATH="$NIX_LINK/share/man:$MANPATH"
fi fi
export PATH="$NIX_LINK/bin:$__savedpath" export PATH="$NIX_LINK/bin:$PATH"
unset __savedpath NIX_LINK NIX_USER_PROFILE_DIR unset NIX_LINK NIX_USER_PROFILE_DIR
fi fi

View file

@ -70,15 +70,17 @@ LocalStore::LocalStore(const Params & params)
createSymlink(profilesDir, gcRootsDir + "/profiles"); createSymlink(profilesDir, gcRootsDir + "/profiles");
} }
for (auto & perUserDir : {profilesDir + "/per-user", gcRootsDir + "/per-user"}) {
createDirs(perUserDir);
if (chmod(perUserDir.c_str(), 0755) == -1)
throw SysError("could not set permissions on '%s' to 755", perUserDir);
}
createUser(getUserName(), getuid());
/* Optionally, create directories and set permissions for a /* Optionally, create directories and set permissions for a
multi-user install. */ multi-user install. */
if (getuid() == 0 && settings.buildUsersGroup != "") { if (getuid() == 0 && settings.buildUsersGroup != "") {
Path perUserDir = profilesDir + "/per-user";
createDirs(perUserDir);
if (chmod(perUserDir.c_str(), 01777) == -1)
throw SysError(format("could not set permissions on '%1%' to 1777") % perUserDir);
mode_t perm = 01775; mode_t perm = 01775;
struct group * gr = getgrnam(settings.buildUsersGroup.get().c_str()); struct group * gr = getgrnam(settings.buildUsersGroup.get().c_str());
@ -1432,4 +1434,19 @@ void LocalStore::signPathInfo(ValidPathInfo & info)
} }
void LocalStore::createUser(const std::string & userName, uid_t userId)
{
for (auto & dir : {
fmt("%s/profiles/per-user/%s", stateDir, userName),
fmt("%s/gcroots/per-user/%s", stateDir, userName)
}) {
createDirs(dir);
if (chmod(dir.c_str(), 0755) == -1)
throw SysError("changing permissions of directory '%s'", dir);
if (chown(dir.c_str(), userId, 0) == -1)
throw SysError("changing owner of directory '%s'", dir);
}
}
} }

View file

@ -293,6 +293,8 @@ private:
Path getRealStoreDir() override { return realStoreDir; } Path getRealStoreDir() override { return realStoreDir; }
void createUser(const std::string & userName, uid_t userId) override;
friend class DerivationGoal; friend class DerivationGoal;
friend class SubstitutionGoal; friend class SubstitutionGoal;
}; };

View file

@ -628,6 +628,9 @@ public:
return storePath; return storePath;
} }
virtual void createUser(const std::string & userName, uid_t userId)
{ }
protected: protected:
Stats stats; Stats stats;

View file

@ -475,6 +475,16 @@ Path createTempDir(const Path & tmpRoot, const Path & prefix,
} }
std::string getUserName()
{
auto pw = getpwuid(geteuid());
std::string name = pw ? pw->pw_name : getEnv("USER", "");
if (name.empty())
throw Error("cannot figure out user name");
return name;
}
static Lazy<Path> getHome2([]() { static Lazy<Path> getHome2([]() {
Path homeDir = getEnv("HOME"); Path homeDir = getEnv("HOME");
if (homeDir.empty()) { if (homeDir.empty()) {

View file

@ -126,6 +126,8 @@ void deletePath(const Path & path, unsigned long long & bytesFreed);
Path createTempDir(const Path & tmpRoot = "", const Path & prefix = "nix", Path createTempDir(const Path & tmpRoot = "", const Path & prefix = "nix",
bool includePid = true, bool useGlobalCounter = true, mode_t mode = 0755); bool includePid = true, bool useGlobalCounter = true, mode_t mode = 0755);
std::string getUserName();
/* Return $HOME or the user's home directory from /etc/passwd. */ /* Return $HOME or the user's home directory from /etc/passwd. */
Path getHome(); Path getHome();

View file

@ -159,13 +159,7 @@ static int _main(int argc, char ** argv)
nixDefExpr = home + "/.nix-defexpr"; nixDefExpr = home + "/.nix-defexpr";
// Figure out the name of the channels profile. // Figure out the name of the channels profile.
; profile = fmt("%s/profiles/per-user/%s/channels", settings.nixStateDir, getUserName());
auto pw = getpwuid(geteuid());
std::string name = pw ? pw->pw_name : getEnv("USER", "");
if (name.empty())
throw Error("cannot figure out user name");
profile = settings.nixStateDir + "/profiles/per-user/" + name + "/channels";
createDirs(dirOf(profile));
enum { enum {
cNone, cNone,

View file

@ -742,7 +742,8 @@ static void performOp(TunnelLogger * logger, ref<Store> store,
} }
static void processConnection(bool trusted) static void processConnection(bool trusted,
const std::string & userName, uid_t userId)
{ {
MonitorFdHup monitor(from.fd); MonitorFdHup monitor(from.fd);
@ -793,6 +794,8 @@ static void processConnection(bool trusted)
params["path-info-cache-size"] = "0"; params["path-info-cache-size"] = "0";
auto store = openStore(settings.storeUri, params); auto store = openStore(settings.storeUri, params);
store->createUser(userName, userId);
tunnelLogger->stopWork(); tunnelLogger->stopWork();
to.flush(); to.flush();
@ -1053,7 +1056,7 @@ static void daemonLoop(char * * argv)
/* Handle the connection. */ /* Handle the connection. */
from.fd = remote.get(); from.fd = remote.get();
to.fd = remote.get(); to.fd = remote.get();
processConnection(trusted); processConnection(trusted, user, peer.uid);
exit(0); exit(0);
}, options); }, options);
@ -1133,7 +1136,7 @@ static int _main(int argc, char * * argv)
} }
} }
} else { } else {
processConnection(true); processConnection(true, "root", 0);
} }
} else { } else {
daemonLoop(argv); daemonLoop(argv);

View file

@ -192,12 +192,6 @@ static void loadDerivations(EvalState & state, Path nixExprPath,
} }
static Path getDefNixExprPath()
{
return getHome() + "/.nix-defexpr";
}
static long getPriority(EvalState & state, DrvInfo & drv) static long getPriority(EvalState & state, DrvInfo & drv)
{ {
return drv.queryMetaInt("priority", 0); return drv.queryMetaInt("priority", 0);
@ -1327,9 +1321,20 @@ static int _main(int argc, char * * argv)
Globals globals; Globals globals;
globals.instSource.type = srcUnknown; globals.instSource.type = srcUnknown;
globals.instSource.nixExprPath = getDefNixExprPath(); globals.instSource.nixExprPath = getHome() + "/.nix-defexpr";
globals.instSource.systemFilter = "*"; globals.instSource.systemFilter = "*";
if (!pathExists(globals.instSource.nixExprPath)) {
createDirs(globals.instSource.nixExprPath);
replaceSymlink(
fmt("%s/profiles/per-user/%s/channels", settings.nixStateDir, getUserName()),
globals.instSource.nixExprPath + "/channels");
if (getuid() != 0)
replaceSymlink(
fmt("%s/profiles/per-user/root/channels", settings.nixStateDir),
globals.instSource.nixExprPath + "/channels_root");
}
globals.dryRun = false; globals.dryRun = false;
globals.preserveInstalled = false; globals.preserveInstalled = false;
globals.removeAll = false; globals.removeAll = false;
@ -1422,9 +1427,14 @@ static int _main(int argc, char * * argv)
if (globals.profile == "") { if (globals.profile == "") {
Path profileLink = getHome() + "/.nix-profile"; Path profileLink = getHome() + "/.nix-profile";
globals.profile = pathExists(profileLink) if (!pathExists(profileLink)) {
? absPath(readLink(profileLink), dirOf(profileLink)) replaceSymlink(
: canonPath(settings.nixStateDir + "/profiles/default"); getuid() == 0
? settings.nixStateDir + "/profiles/default"
: fmt("%s/profiles/per-user/%s/profile", settings.nixStateDir, getUserName()),
profileLink);
}
globals.profile = absPath(readLink(profileLink), dirOf(profileLink));
} }
op(globals, opFlags, opArgs); op(globals, opFlags, opArgs);

View file

@ -36,7 +36,7 @@ grep -q 'item.*attrPath="foo".*name="dependencies"' $TEST_ROOT/meta.xml
# Do an install. # Do an install.
nix-env -i dependencies nix-env -i dependencies
[ -e $TEST_ROOT/var/nix/profiles/default/foobar ] [ -e $TEST_HOME/.nix-profile/foobar ]
clearProfiles clearProfiles
rm -f $TEST_HOME/.nix-channels rm -f $TEST_HOME/.nix-channels
@ -55,5 +55,5 @@ grep -q 'item.*attrPath="foo".*name="dependencies"' $TEST_ROOT/meta.xml
# Do an install. # Do an install.
nix-env -i dependencies nix-env -i dependencies
[ -e $TEST_ROOT/var/nix/profiles/default/foobar ] [ -e $TEST_HOME/.nix-profile/foobar ]

View file

@ -7,8 +7,3 @@ rm -rf $TEST_HOME $TEST_ROOT/profile-var
mkdir -p $TEST_HOME mkdir -p $TEST_HOME
USER=$user $SHELL -e -c ". $TEST_ROOT/nix-profile.sh; set" USER=$user $SHELL -e -c ". $TEST_ROOT/nix-profile.sh; set"
USER=$user $SHELL -e -c ". $TEST_ROOT/nix-profile.sh" # test idempotency USER=$user $SHELL -e -c ". $TEST_ROOT/nix-profile.sh" # test idempotency
[ -L $TEST_HOME/.nix-profile ]
[ -e $TEST_HOME/.nix-channels ]
[ -e $TEST_ROOT/profile-var/nix/gcroots/per-user/$user ]
[ -e $TEST_ROOT/profile-var/nix/profiles/per-user/$user ]

View file

@ -13,3 +13,7 @@ cmp $TEST_ROOT/d1 $TEST_ROOT/d2
nix-store --gc --max-freed 1K nix-store --gc --max-freed 1K
killDaemon killDaemon
user=$(whoami)
[ -e $NIX_STATE_DIR/gcroots/per-user/$user ]
[ -e $NIX_STATE_DIR/profiles/per-user/$user ]

View file

@ -20,7 +20,7 @@ drvPath10=$(nix-env -f ./user-envs.nix -qa --drv-path --no-name '*' | grep foo-1
# Query descriptions. # Query descriptions.
nix-env -f ./user-envs.nix -qa '*' --description | grep -q silly nix-env -f ./user-envs.nix -qa '*' --description | grep -q silly
rm -f $HOME/.nix-defexpr rm -rf $HOME/.nix-defexpr
ln -s $(pwd)/user-envs.nix $HOME/.nix-defexpr ln -s $(pwd)/user-envs.nix $HOME/.nix-defexpr
nix-env -qa '*' --description | grep -q silly nix-env -qa '*' --description | grep -q silly