Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nixos/etc: sanitize /etc setup script #41276

Closed
wants to merge 5 commits into from
Closed

nixos/etc: sanitize /etc setup script #41276

wants to merge 5 commits into from

Conversation

tkerber
Copy link
Member

@tkerber tkerber commented May 30, 2018

Fixes #41241

Motivation for this change

Variables passed to the /etc setup script were not shell escaped. This has been changed.
I am not entirely comfortable with the use of eval to construct arrays from the sanitised input, but I haven't found a better approach to convert a string of shell-escaped arguments into an array of strings in bash.

I have tested it myself, however I am not familiar enough with nixos tests to know which ones need to be run for something as low-level as this, and I'm well aware that any change in the /etc setup could break a lot. Any advice on this?

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option build-use-sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Fits CONTRIBUTING.md.

Mic92
Mic92 reviewed May 31, 2018
View reviewed changes
nixos/modules/system/etc/make-etc.sh Outdated
modes_=($modes)
users_=($users)
groups_=($groups)
eval "sources_=($sources)"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What does the value of $sources looks like in that case?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So this brought to my attention that $sources actually shouldn't be escaped, because it's a list of paths, that when escaped don't get properly imported into the store. It also means the script is passed a list of nix store paths, which are sanitized anyway.

For the others, specifically $target, assuming we have the files foo and bar baz, it would like 'foo' 'bar baz', whereas previously it was foo bar baz.

The eval is safe, as it expands to an array literal of string literals.

@tkerber
Copy link
Member Author

tkerber commented May 31, 2018

While fixing the sanitization of $sources, I realised that I'd missed the globbing section of the script. On looking into it, the globbing section is a) inherently unsanitised, and b) impossible to reach, as it requires a nix store path to have a * in it. I've gone through the history, and it seems to come from a time when the source property was not typed (i.e. could be a string). I therefore think it is safe to remove.

@tkerber
Copy link
Member Author

tkerber commented May 31, 2018
edited

Wait, sorry, it still seems to be in use! E.g. In fail2ban.

@mmahut
Copy link
Member

mmahut commented Aug 3, 2019

What is the status of this pull request?

@stale
Copy link

stale bot commented Jun 1, 2020

Thank you for your contributions.
This has been automatically marked as stale because it has had no activity for 180 days.
If this is still important to you, we ask that you leave a comment below. Your comment can be as simple as "still important to me". This lets people see that at least one person still cares about this. Someone will have to do this at most twice a year if there is no other activity.
Here are suggestions that might help resolve this more quickly:

  1. Search for maintainers and people that previously touched the
    related code and @ mention them in a comment.
  2. Ask on the NixOS Discourse. 3. Ask on the #nixos channel on
    irc.freenode.net.

@stale stale bot added the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Jun 1, 2020
@stammon
Copy link
Contributor

stammon commented Jul 18, 2020

I think the underlying issue has never been fixed, so somebody who is more familiar with this low level of the nixos module system should revisit it and hopefully merge it

@stale stale bot removed the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Jul 18, 2020
samuela
samuela approved these changes Sep 23, 2020
View reviewed changes
Copy link
Member

@samuela samuela left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like some of these changes have already made it into make-etc.sh but otherwise LGTM.

@xaverdh
Copy link
Contributor

xaverdh commented Jan 8, 2021
edited

Can't we just set __structuredAttrs here and then obtain the values from json with jq?

edit: ah no jq needed, I just discovered .attrs.sh. Sadly, I also just discovered that structured attributes require support in stdenv..

@xaverdh xaverdh mentioned this pull request Jan 8, 2021
Closed
10 tasks
@FRidh
Copy link
Member

FRidh commented Jan 8, 2021
edited

you can use toJSON and pass the path to the derivation. In that case its probably clearer to rewrite this script in Python.

@xaverdh xaverdh mentioned this pull request Jan 8, 2021
Closed
10 tasks
@xaverdh
Copy link
Contributor

xaverdh commented Jan 8, 2021

you can use toJSON and pass the path to the derivation. In that case its probably clearer to rewrite this script in Python.

I went ahead with the jq appoach: #108779
doesn't look too ugly, but python would be better still ;-)

@stale
Copy link

stale bot commented Jul 8, 2021

I marked this as stale due to inactivity. → More info

@stale stale bot added the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Jul 8, 2021
This was referenced Jul 22, 2021
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Mic92 Mic92 Mic92 left review comments

@samuela samuela samuela approved these changes

Assignees
No one assigned
Labels
2.status: merge conflict 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md 6.topic: nixos 8.has: module (update) 10.rebuild-darwin: 0 10.rebuild-linux: 0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Whitespace in environment.etc target crashes nixos
9 participants
@tkerber @mmahut @stammon @xaverdh @FRidh @Mic92 @samuela @ryantm @GrahamcOfBorg