Capability style package security via package users and groups

[elspru]

Issue description

While Linux doesn't support capabilities, NixOS is one of the best candidates as a transitional OS. The Issue is that normal users and all apps have read and execute access to all items in the store, this may allow people to use applications they shouldn't be using, and take advantage of exploits which may be available in them.

Steps to reproduce

ls -l /nix/store

shows that everyone has read access to everything in the store.

Potential fix.

Can make a username and group for each package, with the package-user being in groups of any run-time dependencies, if they use setuid. Then can disable read access to other in the store.

The normal users would be in the groups of the apps/packages they are allowed to use.

[Ekleog]

The packages in the store are never setuid, so even if there are exploits in them it wouldn't allow an user to escalate privilege in the scenario you put forward, I think.

As a consequence, I'm not really sure what problem your solution is trying to solve? (also, there is a potential problem with it: if each package is setuid [some package-specific user], then it will be hard for it to eg. write files on request of the user who started them)

[MostAwesomeDude]

I think that fixing this is beyond the scope of Nix. Not that it's not desirable, just far beyond anything we have the ability to build.

The problem that is trying to be solved is exactly what is stated: Being able to enumerate the Nix store is incompatible with package-capability isolation guarantees.

[stale[bot]]

I marked this as stale due to inactivity. → More info