Closed copumpkin closed 7 months ago
Fixing this would be mighty handy for the various "manage your dotfiles with nix" tools out there.
What actually are the security implications of allowing store names to start with a dot? Does nix reconstitute paths based on that name at some point, or is the store path just a unique key identifying the item in the store?
Gah, I'm hitting this trying to do some dotfile management within NixOS:
environment.etc =
{
"user/jeaye/.i3status.conf".source = ./data/.i3status.conf;
};
Seems like an important feature for me, though looks like an activation script will have to do for now. Any more thoughts on this?
Is this still a technical restriction or is it really for security reasons like it says here: https://github.com/NixOS/nix/blob/master/src/libstore/store-api.cc#L85-L91
A bit of discussion in the home-manager repo: https://github.com/rycee/home-manager/issues/4#issuecomment-281477793
This can be worked around with builtins.path
. You can provide an alternate name for the file in the store.
@shlevy that works, thanks for the tip!
~
❯ nix repl
Welcome to Nix version 2.0.4. Type :? for help.
nix-repl> builtins.path { path = "/home/eqyiel/.zshrc"; name = "zshrc"; }
"/nix/store/zsdswnfqj54hbk0r3h66gz2vxfsl5v1j-zshrc"
nix-repl>
~
❯ head /nix/store/zsdswnfqj54hbk0r3h66gz2vxfsl5v1j-zshrc
source "/nix/store/jk28835dkq3i1sypgww16fai1x5jkk3n-grml-etc-core-af65087/etc/zsh/zshrc"
for i in ${HOME}/.config/zsh/functions/*; do autoload -Uz "$(basename $i)"; done
if [[ -z "$(pgrep gpg-agent)" ]]; then
eval "$(/nix/store/2ha2niscnxfqmfn269khmf8x3xl4mxwp-gnupg-2.2.8/bin/gpg-agent --daemon --enable-ssh-support --sh)"
fi
# Don't let gnome's ssh agent clobber this variable
if isdarwin; then
~
❯
I marked this as stale due to inactivity. → More info
I closed this issue due to inactivity. → More info
Oh ha (see #9095) we've gone back and forth with this since this issue was opened I guess.
Let's track leading period support here.
Nix versions that denied leading periods are currently:
Let's track leading period support here.
Nix versions that denied leading periods are currently:
- 2.20.*
- 2.19.*
- as of yet unreleased backports into 2.13 up to 2.18.x
- 2.3.* and older
how can I check if the backports have been released? https://nixos.org/manual/nix/stable/release-notes doesn't contain release notes for patch releases, and releases on github don't seem to come with a changelog
thanks!
We have some support for minor release notes in our minor release process. Unfortunately,
cc @edolstra
Thanks @roberth!
just wanted to clarify the above:
as of yet unreleased backports into 2.13 up to 2.18.x
I checked 2.18.2, and it denies leading dots in paths, so the backport seems to have made it
Given https://nvd.nist.gov/vuln/detail/CVE-2024-27297, and that currently only the following nix versions contain the patch for it:
2.21.2
2.21.1
2.21.0
2.20.6
2.20.5
2.18.2
2.19.4
2.17.2
2.16.3
2.3.18
the only secure option available to people which want to avoid the dot problem, is to use nix >= 2.21
(or 2.20.5
, see EDIT below)
note that:
2.16.3
, 2.18.2
and 2.21.x for the dot issueEDIT: just tested 2.20.5
and it supports dotted paths as well :tada:
Currently, I think the logic tries to set the "derivation" name to the basename when copying a path into the store. If that basename starts with a dot, Nix moans about not being able to copy it in.
Luckily, the derivation name doesn't matter all that much in Nix, so it can really be anything we want. Perhaps we could just have the file copying code strip out any leading dots from the name, or replace them with the string "dot"? That way we could do something like this: