Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: NixOS/nix
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 20c3bdbed616^
Choose a base ref
...
head repository: NixOS/nix
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 956f82bb6c09
Choose a head ref
  • 3 commits
  • 11 files changed
  • 1 contributor

Commits on Oct 9, 2019

  1. Remove world-writability from per-user directories 

    'nix-daemon' now creates subdirectories for users when they first
connect.
    @edolstra
    edolstra committed Oct 9, 2019

    Verified

    This commit was signed with the committer’s verified signature.
    snyk-bot Snyk bot
    GPG key ID: 78AC5AE55A47A65B
    Verified
    Learn about vigilant mode
    Copy the full SHA
    20c3bdb View commit details

  2. Remove some redundant initialization

    @edolstra
    edolstra committed Oct 9, 2019
    Copy the full SHA
    1872ae2 View commit details

  3. nix-profile.sh: Don't create .nix-channels 

    This is already done by the installer, so no need to do it again.
    @edolstra
    edolstra committed Oct 9, 2019
    Copy the full SHA
    956f82b View commit details
2 changes: 1 addition & 1 deletion nix.spec.in
View file
Original file line number Diff line number Diff line change
@@ -106,7 +106,7 @@ chmod 1775 $RPM_BUILD_ROOT/nix/store
for d in profiles gcroots;
do
mkdir -p $RPM_BUILD_ROOT/nix/var/nix/$d/per-user
chmod 1777 $RPM_BUILD_ROOT/nix/var/nix/$d/per-user
chmod 755 $RPM_BUILD_ROOT/nix/var/nix/$d/per-user
done

# fix permission of nix profile
15 changes: 4 additions & 11 deletions scripts/install-multi-user.sh
View file
Original file line number Diff line number Diff line change
@@ -437,24 +437,17 @@ create_build_users() {
}

create_directories() {
# FIXME: remove all of this because it duplicates LocalStore::LocalStore().

_sudo "to make the basic directory structure of Nix (part 1)" \
mkdir -pv -m 0755 /nix /nix/var /nix/var/log /nix/var/log/nix /nix/var/log/nix/drvs /nix/var/nix{,/db,/gcroots,/profiles,/temproots,/userpool}
mkdir -pv -m 0755 /nix /nix/var /nix/var/log /nix/var/log/nix /nix/var/log/nix/drvs /nix/var/nix{,/db,/gcroots,/profiles,/temproots,/userpool} /nix/var/nix/{gcroots,profiles}/per-user

_sudo "to make the basic directory structure of Nix (part 2)" \
mkdir -pv -m 1777 /nix/var/nix/{gcroots,profiles}/per-user

_sudo "to make the basic directory structure of Nix (part 3)" \
mkdir -pv -m 1775 /nix/store

_sudo "to make the basic directory structure of Nix (part 4)" \
_sudo "to make the basic directory structure of Nix (part 3)" \
chgrp "$NIX_BUILD_GROUP_NAME" /nix/store

_sudo "to set up the root user's profile (part 1)" \
mkdir -pv -m 0755 /nix/var/nix/profiles/per-user/root

_sudo "to set up the root user's profile (part 2)" \
mkdir -pv -m 0700 "$ROOT_HOME/.nix-defexpr"

_sudo "to place the default nix daemon configuration (part 1)" \
mkdir -pv -m 0555 /etc/nix
}
18 changes: 0 additions & 18 deletions scripts/nix-profile-daemon.sh.in
View file
Original file line number Diff line number Diff line change
@@ -5,12 +5,6 @@ __ETC_PROFILE_NIX_SOURCED=1
export NIX_USER_PROFILE_DIR="@localstatedir@/nix/profiles/per-user/$USER"
export NIX_PROFILES="@localstatedir@/nix/profiles/default $HOME/.nix-profile"

# Set up the per-user profile.
mkdir -m 0755 -p $NIX_USER_PROFILE_DIR
if ! test -O "$NIX_USER_PROFILE_DIR"; then
echo "WARNING: bad ownership on $NIX_USER_PROFILE_DIR" >&2
fi

if test -w $HOME; then
if ! test -L $HOME/.nix-profile; then
if test "$USER" != root; then
@@ -21,18 +15,6 @@ if test -w $HOME; then
fi
fi

# Subscribe the root user to the NixOS channel by default.
if [ "$USER" = root -a ! -e $HOME/.nix-channels ]; then
echo "https://nixos.org/channels/nixpkgs-unstable nixpkgs" > $HOME/.nix-channels
fi

# Create the per-user garbage collector roots directory.
NIX_USER_GCROOTS_DIR=@localstatedir@/nix/gcroots/per-user/$USER
mkdir -m 0755 -p $NIX_USER_GCROOTS_DIR
if ! test -O "$NIX_USER_GCROOTS_DIR"; then
echo "WARNING: bad ownership on $NIX_USER_GCROOTS_DIR" >&2
fi

# Set up a default Nix expression from which to install stuff.
if [ ! -e $HOME/.nix-defexpr -o -L $HOME/.nix-defexpr ]; then
rm -f $HOME/.nix-defexpr
19 changes: 0 additions & 19 deletions scripts/nix-profile.sh.in
View file
Original file line number Diff line number Diff line change
@@ -9,12 +9,6 @@ if [ -n "$HOME" ] && [ -n "$USER" ]; then

NIX_USER_PROFILE_DIR=@localstatedir@/nix/profiles/per-user/$USER

mkdir -m 0755 -p "$NIX_USER_PROFILE_DIR"

if [ "$(stat --printf '%u' "$NIX_USER_PROFILE_DIR")" != "$(id -u)" ]; then
echo "Nix: WARNING: bad ownership on "$NIX_USER_PROFILE_DIR", should be $(id -u)" >&2
fi

if [ -w "$HOME" ]; then
if ! [ -L "$NIX_LINK" ]; then
echo "Nix: creating $NIX_LINK" >&2
@@ -28,19 +22,6 @@ if [ -n "$HOME" ] && [ -n "$USER" ]; then
fi
fi

# Subscribe the user to the unstable Nixpkgs channel by default.
if [ ! -e "$HOME/.nix-channels" ]; then
echo "https://nixos.org/channels/nixpkgs-unstable nixpkgs" > "$HOME/.nix-channels"
fi

# Create the per-user garbage collector roots directory.
__user_gcroots=@localstatedir@/nix/gcroots/per-user/"$USER"
mkdir -m 0755 -p "$__user_gcroots"
if [ "$(stat --printf '%u' "$__user_gcroots")" != "$(id -u)" ]; then
echo "Nix: WARNING: bad ownership on $__user_gcroots, should be $(id -u)" >&2
fi
unset __user_gcroots

# Set up a default Nix expression from which to install stuff.
__nix_defexpr="$HOME"/.nix-defexpr
[ -L "$__nix_defexpr" ] && rm -f "$__nix_defexpr"
24 changes: 20 additions & 4 deletions src/libstore/local-store.cc
View file
Original file line number Diff line number Diff line change
@@ -74,10 +74,11 @@ LocalStore::LocalStore(const Params & params)
multi-user install. */
if (getuid() == 0 && settings.buildUsersGroup != "") {

Path perUserDir = profilesDir + "/per-user";
createDirs(perUserDir);
if (chmod(perUserDir.c_str(), 01777) == -1)
throw SysError(format("could not set permissions on '%1%' to 1777") % perUserDir);
for (auto & perUserDir : {profilesDir + "/per-user", gcRootsDir + "/per-user"}) {
createDirs(perUserDir);
if (chmod(perUserDir.c_str(), 0755) == -1)
throw SysError("could not set permissions on '%s' to 755", perUserDir);
}

mode_t perm = 01775;

@@ -1432,4 +1433,19 @@ void LocalStore::signPathInfo(ValidPathInfo & info)
}


void LocalStore::createUser(const std::string & userName, uid_t userId)
{
for (auto & dir : {
fmt("%s/profiles/per-user/%s", stateDir, userName),
fmt("%s/gcroots/per-user/%s", stateDir, userName)
}) {
createDirs(dir);
if (chmod(dir.c_str(), 0700) == -1)
throw SysError("changing permissions of directory '%s'", dir);
if (chown(dir.c_str(), userId, -1) == -1)
throw SysError("changing owner of directory '%s'", dir);
}
}


}
2 changes: 2 additions & 0 deletions src/libstore/local-store.hh
View file
Original file line number Diff line number Diff line change
@@ -293,6 +293,8 @@ private:

Path getRealStoreDir() override { return realStoreDir; }

void createUser(const std::string & userName, uid_t userId) override;

friend class DerivationGoal;
friend class SubstitutionGoal;
};
3 changes: 3 additions & 0 deletions src/libstore/store-api.hh
View file
Original file line number Diff line number Diff line change
@@ -628,6 +628,9 @@ public:
return storePath;
}

virtual void createUser(const std::string & userName, uid_t userId)
{ }

protected:

Stats stats;
9 changes: 6 additions & 3 deletions src/nix-daemon/nix-daemon.cc
View file
Original file line number Diff line number Diff line change
@@ -742,7 +742,8 @@ static void performOp(TunnelLogger * logger, ref<Store> store,
}


static void processConnection(bool trusted)
static void processConnection(bool trusted,
const std::string & userName, uid_t userId)
{
MonitorFdHup monitor(from.fd);

@@ -793,6 +794,8 @@ static void processConnection(bool trusted)
params["path-info-cache-size"] = "0";
auto store = openStore(settings.storeUri, params);

store->createUser(userName, userId);

tunnelLogger->stopWork();
to.flush();

@@ -1053,7 +1056,7 @@ static void daemonLoop(char * * argv)
/* Handle the connection. */
from.fd = remote.get();
to.fd = remote.get();
processConnection(trusted);
processConnection(trusted, user, peer.uid);

exit(0);
}, options);
@@ -1133,7 +1136,7 @@ static int _main(int argc, char * * argv)
}
}
} else {
processConnection(true);
processConnection(true, "root", 0);
}
} else {
daemonLoop(argv);
3 changes: 0 additions & 3 deletions tests/nix-profile.sh
View file
Original file line number Diff line number Diff line change
@@ -9,6 +9,3 @@ USER=$user $SHELL -e -c ". $TEST_ROOT/nix-profile.sh; set"
USER=$user $SHELL -e -c ". $TEST_ROOT/nix-profile.sh" # test idempotency

[ -L $TEST_HOME/.nix-profile ]
[ -e $TEST_HOME/.nix-channels ]
[ -e $TEST_ROOT/profile-var/nix/gcroots/per-user/$user ]
[ -e $TEST_ROOT/profile-var/nix/profiles/per-user/$user ]
4 changes: 4 additions & 0 deletions tests/remote-store.sh
View file
Original file line number Diff line number Diff line change
@@ -13,3 +13,7 @@ cmp $TEST_ROOT/d1 $TEST_ROOT/d2
nix-store --gc --max-freed 1K

killDaemon

user=$(whoami)
[ -e $NIX_STATE_DIR/gcroots/per-user/$user ]
[ -e $NIX_STATE_DIR/profiles/per-user/$user ]
2 changes: 1 addition & 1 deletion tests/user-envs.sh
View file
Original file line number Diff line number Diff line change
@@ -20,7 +20,7 @@ drvPath10=$(nix-env -f ./user-envs.nix -qa --drv-path --no-name '*' | grep foo-1

# Query descriptions.
nix-env -f ./user-envs.nix -qa '*' --description | grep -q silly
rm -f $HOME/.nix-defexpr
rm -rf $HOME/.nix-defexpr
ln -s $(pwd)/user-envs.nix $HOME/.nix-defexpr
nix-env -qa '*' --description | grep -q silly