From 4d1b64f118cf6ebcbf530bea4a3c531704d7d6ba Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Tue, 31 Jul 2012 18:56:22 -0400 Subject: [PATCH] =?UTF-8?q?Allow=20daemon=20users=20to=20override=20?= =?UTF-8?q?=E2=80=98binary-caches=E2=80=99?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit For security reasons, daemon users can only specify caches that appear in the ‘binary-caches’ and ‘trusted-binary-caches’ options in nix.conf. --- doc/manual/conf-file.xml | 13 ++++++++++ scripts/download-from-binary-cache.pl.in | 30 +++++++++++++++++++++--- 2 files changed, 40 insertions(+), 3 deletions(-) diff --git a/doc/manual/conf-file.xml b/doc/manual/conf-file.xml index c19e44ebf..c09d46206 100644 --- a/doc/manual/conf-file.xml +++ b/doc/manual/conf-file.xml @@ -329,6 +329,19 @@ build-use-chroot = /dev /proc /bin + trusted-binary-caches + + A list of URLs of binary caches, separated by + whitespace. These are not used by default, but can be enabled by + users of the Nix daemon by specifying --option + binary-caches urls on the + command line. Daemon users are only allowed to pass a subset of + the URLs listed in binary-caches and + trusted-binary-caches. + + + + binary-caches-parallel-connections The maximum number of parallel HTTP connections diff --git a/scripts/download-from-binary-cache.pl.in b/scripts/download-from-binary-cache.pl.in index 5d65e664e..3f7d3ef45 100644 --- a/scripts/download-from-binary-cache.pl.in +++ b/scripts/download-from-binary-cache.pl.in @@ -8,6 +8,7 @@ use Nix::Store; use Nix::Utils; use WWW::Curl::Easy; use WWW::Curl::Multi; +use List::MoreUtils qw(any); use strict; @@ -166,9 +167,32 @@ sub getAvailableCaches { return if $gotCaches; $gotCaches = 1; - my @urls = map { s/\/+$//; $_ } split(/ /, - $Nix::Config::config{"binary-caches"} - // ($Nix::Config::storeDir eq "/nix/store" ? "http://nixos.org/binary-cache" : "")); + sub strToList { + my ($s) = @_; + return map { s/\/+$//; $_ } split(/ /, $s); + } + + my @urls = strToList + ($Nix::Config::config{"binary-caches"} + // ($Nix::Config::storeDir eq "/nix/store" ? "http://nixos.org/binary-cache" : "")); + + # Allow Nix daemon users to override the binary caches to a subset + # of those listed in the config file. Note that ‘untrusted-*’ + # denotes options passed by the client. + if (defined $Nix::Config::config{"untrusted-binary-caches"}) { + my @untrustedUrls = strToList $Nix::Config::config{"untrusted-binary-caches"}; + my @trustedUrls = (@urls, strToList($Nix::Config::config{"trusted-binary-caches"} // "")); + @urls = (); + foreach my $url (@untrustedUrls) { + if (any { $url eq $_ } @trustedUrls) { + push @urls, $url; + } else { + # FIXME: should die here, but we currently can't + # deliver error messages to clients. + warn "warning: binary cache ‘$url’ is not trusted (please add it to ‘trusted-binary-caches’ in $Nix::Config::confDir/nix.conf)\n"; + } + } + } foreach my $url (@urls) {