Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: NixOS/nix
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 88b291ffc4ae
Choose a base ref
...
head repository: NixOS/nix
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: a10951de0811
Choose a head ref
  • 3 commits
  • 3 files changed
  • 1 contributor

Commits on Jun 14, 2017

  1. Remove redundant debug line

    @edolstra
    edolstra committed Jun 14, 2017

    Verified

    This commit was signed with the committer’s verified signature.
    edolstra Eelco Dolstra
    GPG key ID: 8170B4726D7198DE
    Verified
    Learn about vigilant mode
    Copy the full SHA
    38b7d55 View commit details

  2. Add 1.11.10 release notes 

    (cherry picked from commit 0fb60e4)
    @edolstra
    edolstra committed Jun 14, 2017

    Verified

    This commit was signed with the committer’s verified signature.
    edolstra Eelco Dolstra
    GPG key ID: 8170B4726D7198DE
    Verified
    Learn about vigilant mode
    Copy the full SHA
    1dcadad View commit details

  3. OS X -> macOS 

    (cherry picked from commit c20641c)
    @edolstra
    edolstra committed Jun 14, 2017

    Verified

    This commit was signed with the committer’s verified signature.
    edolstra Eelco Dolstra
    GPG key ID: 8170B4726D7198DE
    Verified
    Learn about vigilant mode
    Copy the full SHA
    a10951d View commit details
Showing with 32 additions and 2 deletions.
  1. +1 −0 doc/manual/release-notes/release-notes.xml
  2. +31 −0 doc/manual/release-notes/rl-1.11.10.xml
  3. +0 −2 src/libstore/s3-binary-cache-store.cc
1 change: 1 addition & 0 deletions doc/manual/release-notes/release-notes.xml
View file
Original file line number Diff line number Diff line change
@@ -13,6 +13,7 @@
-->

<xi:include href="rl-1.12.xml" />
<xi:include href="rl-1.11.10.xml" />
<xi:include href="rl-1.11.xml" />
<xi:include href="rl-1.10.xml" />
<xi:include href="rl-1.9.xml" />
31 changes: 31 additions & 0 deletions doc/manual/release-notes/rl-1.11.10.xml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude"
version="5.0"
xml:id="ssec-relnotes-1.11.10">

<title>Release 1.11.10 (2017-06-12)</title>

<para>This release fixes a security bug in Nix’s “build user” build
isolation mechanism. Previously, Nix builders had the ability to
create setuid binaries owned by a <literal>nixbld</literal>
user. Such a binary could then be used by an attacker to assume a
<literal>nixbld</literal> identity and interfere with subsequent
builds running under the same UID.</para>

<para>To prevent this issue, Nix now disallows builders to create
setuid and setgid binaries. On Linux, this is done using a seccomp BPF
filter. Note that this imposes a small performance penalty (e.g. 1%
when building GNU Hello). Using seccomp, we now also prevent the
creation of extended attributes and POSIX ACLs since these cannot be
represented in the NAR format and (in the case of POSIX ACLs) allow
bypassing regular Nix store permissions. On macOS, the restriction is
implemented using the existing sandbox mechanism, which now uses a
minimal “allow all except the creation of setuid/setgid binaries”
profile when regular sandboxing is disabled. On other platforms, the
“build user” mechanism is now disabled.</para>

<para>Thanks go to Linus Heckemann for discovering and reporting this
bug.</para>

</section>
2 changes: 0 additions & 2 deletions src/libstore/s3-binary-cache-store.cc
View file
Original file line number Diff line number Diff line change
@@ -273,8 +273,6 @@ struct S3BinaryCacheStoreImpl : public S3BinaryCacheStore
std::function<void(std::exception_ptr exc)> failure) override
{
sync2async<std::shared_ptr<std::string>>(success, failure, [&]() {
debug(format("fetching ‘s3://%1%/%2%’...") % bucketName % path);

stats.get++;

auto res = s3Helper.getObject(bucketName, path);