Rethink netrc/auth-helping handling: multiple netrcs? protocol auth-helping support? #254

New issue

Open

opened 2024-04-30 20:46:42 +00:00 by jade · 0 comments

jade commented

2024-04-30 20:46:42 +00:00

Owner

The behaviour of Lix with respect to fetching things in a manner that uses the netrc is confusing. In particular, the following works (on a currently auth requiring repo):

nix flake metadata -vvv 'git+https://git.lix.systems/api/v1/repos/lix-project/flake-compat'

However~! This is because Lix shells out to git as the calling user, which then reads ~/.netrc. Lix itself completely ignores ~/.netrc by default, which is surprising to this creature at least.

Thus, by default this does not work if only ~/.netrc is configured (assuming this requires auth):

nix flake metadata -vvv 'tarball+https://git.lix.systems/api/v1/repos/lix-project/flake-compat/archive/master.tar.gz'

A fix is to set netrc-file for the calling user, but then if the daemon needs the netrc for a build of a builtin:fetchurl derivation, that doesn't work.

We know of attempts upstream to do credential helping via the protocol, but we don't really like the approach (i.e. forwarding the ssh agent to the daemon), since it introduces somewhat concerning attack surface by exposing the entire ssh agent protocol of ssh processes running as root to the user, which was not the case in the past.

Realistically fixing this cleanly requires a protocol rearchitecture to natively support credential-helping through the client side process, which is a priority for us but is somewhat distant.

The behaviour of Lix with respect to fetching things in a manner that uses the netrc is confusing. In particular, the following works (on a currently auth requiring repo): ``` nix flake metadata -vvv 'git+https://git.lix.systems/api/v1/repos/lix-project/flake-compat' ``` However~! This is *because* Lix shells out to `git` as the calling user, which then reads `~/.netrc`. Lix itself completely ignores `~/.netrc` by default, which is surprising to this creature at least. Thus, by default this does not work if only `~/.netrc` is configured (assuming this requires auth): ``` nix flake metadata -vvv 'tarball+https://git.lix.systems/api/v1/repos/lix-project/flake-compat/archive/master.tar.gz' ``` A fix is to set `netrc-file` for the calling user, but then if the daemon needs the netrc for a build of a `builtin:fetchurl` derivation, *that* doesn't work. --- We know of attempts upstream to do credential helping via the protocol, but we don't really like the approach (i.e. forwarding the ssh agent to the daemon), since it introduces somewhat concerning attack surface by exposing the entire ssh agent protocol of ssh processes running as root to the user, which was not the case in the past. Realistically fixing this cleanly requires a protocol rearchitecture to natively support credential-helping through the client side process, which is a priority for us but is somewhat distant.