Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nix-daemon: emit a warning if untrusted user tries to set build parameters #2692

Closed
wants to merge 1 commit into from
Closed

nix-daemon: emit a warning if untrusted user tries to set build parameters #2692

wants to merge 1 commit into from

Conversation

Ma27
Copy link
Member

@Ma27 Ma27 commented Feb 21, 2019

It's documented in the NixOS wiki that untrusted users can't set build
machines using --builders or --option builders[1]. This should cause
a warning at least to avoid confusion why the options won't take any
effect.

This applies to all options except connect-timeout, timeout and
builders if the value is empty.

[1] https://nixos.wiki/wiki/Distributed_build

I tested the behavior with the following VM declaration built from the nixpkgs master:

{
  nixpatch = { pkgs, ... }: {
    nix.package = pkgs.nix.overrideAttrs (old: {
      patches = [ ../nix/0001-nix-daemon-emit-a-warning-if-untrusted-user-tries-to.patch ];
    });

    users.extraUsers.vm = {
      password = "vm";
      isNormalUser = true;
    };
  };
}

@Ma27
Copy link
Member Author

Ma27 commented Feb 24, 2019

Is there anything that keeps this from getting merged? :)

@Ma27
Copy link
Member Author

Ma27 commented Mar 8, 2019

Ping @shlevy

@Ma27
nix-daemon: emit a warning if untrusted user tries to set build param…
00d74f3 
…eters

It's documented in the NixOS wiki that untrusted users can't set build
machines using `--builders` or `--option builders`[1]. This should cause
a warning at least to avoid confusion why the options won't take any
effect.

This applies to all options except `connect-timeout`, `timeout` and
`builders` if the value is empty.

[1] https://nixos.wiki/wiki/Distributed_build
@Ma27 Ma27 force-pushed the warn-untrusted-user-sets-builders branch from acc0e26 to 00d74f3 Compare April 4, 2019 16:47
@Ma27
Copy link
Member Author

Ma27 commented Apr 4, 2019

After reviewing the diff, I figured that it's actually sufficient to use a warn rather than a debug log entry.

@yorickvP
Copy link
Contributor

yorickvP commented Jul 8, 2019

This change is in master now, PR can be closed :)

@edolstra edolstra closed this Jul 8, 2019
@Ma27 Ma27 deleted the warn-untrusted-user-sets-builders branch July 12, 2019 15:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zimbatm zimbatm zimbatm approved these changes

@shlevy shlevy shlevy approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@Ma27 @yorickvP @zimbatm @shlevy @edolstra