search

NixOS / nix

Nix, the purely functional package manager
https://nixos.org/
GNU Lesser General Public License v2.1
12.23k stars 1.47k forks source link

Support file paths with a dotted basename #912

Closed copumpkin closed 7 months ago

copumpkin commented 8 years ago

Currently, I think the logic tries to set the "derivation" name to the basename when copying a path into the store. If that basename starts with a dot, Nix moans about not being able to copy it in.

Luckily, the derivation name doesn't matter all that much in Nix, so it can really be anything we want. Perhaps we could just have the file copying code strip out any leading dots from the name, or replace them with the string "dot"? That way we could do something like this:

{
  foo = mkDerivation {
    name = "foo";
    src = ./foo/bar/.baz;
  };
}
benley commented 7 years ago

Fixing this would be mighty handy for the various "manage your dotfiles with nix" tools out there.

benley commented 7 years ago

What actually are the security implications of allowing store names to start with a dot? Does nix reconstitute paths based on that name at some point, or is the store path just a unique key identifying the item in the store?

jeaye commented 6 years ago

Gah, I'm hitting this trying to do some dotfile management within NixOS:

  environment.etc =
  {
    "user/jeaye/.i3status.conf".source = ./data/.i3status.conf;
  };

Seems like an important feature for me, though looks like an activation script will have to do for now. Any more thoughts on this?

eqyiel commented 6 years ago

Is this still a technical restriction or is it really for security reasons like it says here: https://github.com/NixOS/nix/blob/master/src/libstore/store-api.cc#L85-L91

A bit of discussion in the home-manager repo: https://github.com/rycee/home-manager/issues/4#issuecomment-281477793

shlevy commented 6 years ago

This can be worked around with builtins.path. You can provide an alternate name for the file in the store.

eqyiel commented 6 years ago

@shlevy that works, thanks for the tip!

~
❯ nix repl
Welcome to Nix version 2.0.4. Type :? for help.

nix-repl> builtins.path { path = "/home/eqyiel/.zshrc"; name = "zshrc"; }
"/nix/store/zsdswnfqj54hbk0r3h66gz2vxfsl5v1j-zshrc"

nix-repl>

~
❯ head /nix/store/zsdswnfqj54hbk0r3h66gz2vxfsl5v1j-zshrc
source "/nix/store/jk28835dkq3i1sypgww16fai1x5jkk3n-grml-etc-core-af65087/etc/zsh/zshrc"

for i in ${HOME}/.config/zsh/functions/*; do autoload -Uz "$(basename $i)"; done

if [[ -z "$(pgrep gpg-agent)" ]]; then
  eval "$(/nix/store/2ha2niscnxfqmfn269khmf8x3xl4mxwp-gnupg-2.2.8/bin/gpg-agent --daemon --enable-ssh-support --sh)"
fi

# Don't let gnome's ssh agent clobber this variable
if isdarwin; then

~
❯
stale[bot] commented 3 years ago

I marked this as stale due to inactivity. → More info

stale[bot] commented 2 years ago

I closed this issue due to inactivity. → More info

Ericson2314 commented 8 months ago

Oh ha (see #9095) we've gone back and forth with this since this issue was opened I guess.

roberth commented 7 months ago

Let's track leading period support here.

Nix versions that denied leading periods are currently:

adrian-gierakowski commented 5 months ago

Let's track leading period support here.

Nix versions that denied leading periods are currently:

  • 2.20.*
  • 2.19.*
  • as of yet unreleased backports into 2.13 up to 2.18.x
  • 2.3.* and older

how can I check if the backports have been released? https://nixos.org/manual/nix/stable/release-notes doesn't contain release notes for patch releases, and releases on github don't seem to come with a changelog

thanks!

roberth commented 5 months ago

We have some support for minor release notes in our minor release process. Unfortunately,

cc @edolstra

adrian-gierakowski commented 5 months ago

Thanks @roberth!

adrian-gierakowski commented 5 months ago

just wanted to clarify the above:

as of yet unreleased backports into 2.13 up to 2.18.x

I checked 2.18.2, and it denies leading dots in paths, so the backport seems to have made it

Given https://nvd.nist.gov/vuln/detail/CVE-2024-27297, and that currently only the following nix versions contain the patch for it:

2.21.2
2.21.1
2.21.0
2.20.6
2.20.5
2.18.2
2.19.4
2.17.2
2.16.3
2.3.18

the only secure option available to people which want to avoid the dot problem, is to use nix >= 2.21 (or 2.20.5, see EDIT below)

note that:

  1. the list above is my guess based on recently released patch versions here: https://github.com/NixOS/nix/tags
  2. I've only personally tested 2.16.3, 2.18.2 and 2.21.x for the dot issue

EDIT: just tested 2.20.5 and it supports dotted paths as well :tada: