roberth
commented
9 months ago Ephemeral container runtimes are a very open problem that Nix shouldn't try to solve by itself. Instead it could let the user pick a container system (and perhaps have a default), using a --store location derived from the flakeref.
The latter is needed in order to allow input-addressed (ie non-ca) derivations to be used in the container without having to trust a potentially malicious binary cache.
equally dangerous to a malicious script run with
curl | bash.
Yes, Nix will easily execute arbitrary code, even without a sandbox in such examples as nix run or nix develop.
Is your feature request related to a problem? Please describe. My understanding is that with a traditional Nix Shell, build inputs were almost always official NixPkgs. Nix Flakes make it more convenient use build inputs from elsewhere, including potentially malicious sources.
As Nix Flakes become more popular, this could be taken advantage of to hide malicious code in a Nix Flake. i.e. a coding tutorial hiding a malicious script.
A malicious Nix Flake could potentially be equally dangerous to a malicious script run with
curl | bash.Describe the solution you'd like Nix daemon option to run Flakes in an ephemeral container by default.
I understand one of the major benefits of Nix is code running natively on the user's system. This security suggestion would definitely roll back some of that benefit.
This request is provide a configuration option in the Nix daemon so that
nix build,nix run,nix flake check, etc. are run inside ephemeral containers. Would this help to protect the user's system?Per this suggestion: https://news.ycombinator.com/item?id=37621921 possibly
nix-snapshottercan help? https://github.com/pdtpartners/nix-snapshotterDescribe alternatives you've considered
Additional context
Priorities