Commit Graph

15555 Commits

Author SHA1 Message Date
Théophane Hufschmitt
90e847698b Fix the access of symlinks to host files in the sandbox
https://github.com/NixOS/nix/pull/10456 fixed the addition of symlink
store paths to the sandbox, but also made it so that the hardcoded
sandbox paths (like `/etc/hosts`) were now bind-mounted without
following the possible symlinks. This made these files unreadable if
there were symlinks (because the sandbox would now contain a symlink to
an unreachable file rather than the underlying file).
In particular, this broke FOD derivations on NixOS as `/etc/hosts` is a
symlink there.

Fix that by canonicalizing all these hardcoded sandbox paths before
adding them to the sandbox.

(cherry picked from commit acbb1523c1)
(cherry picked from commit 1cc79f1343)

# Conflicts:
#	tests/functional/linux-sandbox.sh
2024-10-29 20:11:31 +00:00
Puck Meerburg
e393ee3fdb fix passing CA files into builtins:fetchurl sandbox
This patch has been manually adapted from
14dc84ed03

Tested with:

$ NIX_SSL_CERT_FILE=$(nix-build '<nixpkgs>' -A cacert)/etc/ssl/certs/ca-bundle.crt nix-build --store $(mktemp -d) -E 'import <nix/fetchurl.nix> { url = https://google.com; }'
warning: found empty hash, assuming 'sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA='
this derivation will be built:
  /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv
building '/nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv'...
error:
       … writing file '/nix/store/0zynn4n8yx59bczy1mgh1lq2rnprvvrc-google.com'

       error: unable to download 'https://google.com': Problem with the SSL CA cert (path? access rights?) (77)
error: builder for '/nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv' failed with exit code 1

Now returns:

nix-env % NIX_SSL_CERT_FILE=$(nix-build '<nixpkgs>' -A cacert)/etc/ssl/certs/ca-bundle.crt nix-build --store $(mktemp -d) -E 'import <nix/fetchurl.nix> { url = https://google.com; }'
this derivation will be built:
  /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv
building '/nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv'...
error: hash mismatch in fixed-output derivation '/nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv':
         specified: sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
            got:    sha256-5xXEhGtnRdopaUTqaz2M1o2NE7ovhU0SjcSOPwntqwY=

(cherry picked from commit 1fbdf409524bb350b8614f3d95067cb9ba3c57f2)
(cherry picked from commit 9b818f14dd)

# Conflicts:
#	src/libstore/build/local-derivation-goal.cc
#	src/libstore/builtins/fetchurl.cc
2024-10-29 20:11:31 +00:00
Robert Hensing
52166fd12e
Merge pull request #11693 from NixOS/backport-11610-to-2.19-maintenance
Backport #11610 to 2.19 maintenance
2024-10-21 22:25:40 +02:00
Tom Bereknyei
9965a29535 feat: better warning for common SSL errors
(cherry picked from commit 3e5bf90341)
2024-10-14 15:23:37 +02:00
Théophane Hufschmitt
1047383ed4 Test the inclusion of transitive symlinks in the sandbox
(cherry picked from commit cef677ddbc)
2024-10-14 15:23:37 +02:00
Théophane Hufschmitt
67d369a3ac Fix the access of symlinks to host files in the sandbox
https://github.com/NixOS/nix/pull/10456 fixed the addition of symlink
store paths to the sandbox, but also made it so that the hardcoded
sandbox paths (like `/etc/hosts`) were now bind-mounted without
following the possible symlinks. This made these files unreadable if
there were symlinks (because the sandbox would now contain a symlink to
an unreachable file rather than the underlying file).
In particular, this broke FOD derivations on NixOS as `/etc/hosts` is a
symlink there.

Fix that by canonicalizing all these hardcoded sandbox paths before
adding them to the sandbox.

(cherry picked from commit acbb1523c1)
2024-10-14 15:23:37 +02:00
Jörg Thalheim
cf43b52b9d tests/nixos/fetchurl: drop unused variables
(cherry picked from commit de9946cbfd4858133462c8cc6b7838edb3be2451)
2024-10-14 15:23:37 +02:00
Puck Meerburg
b6b683b0e4 fix passing CA files into builtins:fetchurl sandbox
This patch has been manually adapted from
14dc84ed03

Tested with:

$ NIX_SSL_CERT_FILE=$(nix-build '<nixpkgs>' -A cacert)/etc/ssl/certs/ca-bundle.crt nix-build --store $(mktemp -d) -E 'import <nix/fetchurl.nix> { url = https://google.com; }'
warning: found empty hash, assuming 'sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA='
this derivation will be built:
  /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv
building '/nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv'...
error:
       … writing file '/nix/store/0zynn4n8yx59bczy1mgh1lq2rnprvvrc-google.com'

       error: unable to download 'https://google.com': Problem with the SSL CA cert (path? access rights?) (77)
error: builder for '/nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv' failed with exit code 1

Now returns:

nix-env % NIX_SSL_CERT_FILE=$(nix-build '<nixpkgs>' -A cacert)/etc/ssl/certs/ca-bundle.crt nix-build --store $(mktemp -d) -E 'import <nix/fetchurl.nix> { url = https://google.com; }'
this derivation will be built:
  /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv
building '/nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv'...
error: hash mismatch in fixed-output derivation '/nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv':
         specified: sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
            got:    sha256-5xXEhGtnRdopaUTqaz2M1o2NE7ovhU0SjcSOPwntqwY=

(cherry picked from commit 1fbdf409524bb350b8614f3d95067cb9ba3c57f2)
2024-10-14 15:23:33 +02:00
Puck Meerburg
bdc4e60199 fixup! Add a test for builtin:fetchurl cert verification 2024-10-14 15:15:09 +02:00
Eelco Dolstra
211c80608f
Merge pull request #11587 from NixOS/mergify/bp/2.19-maintenance/pr-11585
builtin:fetchurl: Enable TLS verification (backport #11585)
2024-09-26 00:52:09 +02:00
Eelco Dolstra
aca7a73bc2 Resolve conflict 2024-09-26 00:19:33 +02:00
Eelco Dolstra
233a91464d Typo
(cherry picked from commit ef8987955b)
2024-09-26 00:19:00 +02:00
Eelco Dolstra
a99baf767e Add release note
(cherry picked from commit 7b39cd631e)
2024-09-25 21:53:27 +00:00
Eelco Dolstra
5b42719754 Add a test for builtin:fetchurl cert verification
(cherry picked from commit f2f47fa725)

# Conflicts:
#	tests/nixos/default.nix
2024-09-25 21:53:27 +00:00
Eelco Dolstra
4e4470f15e builtin:fetchurl: Enable TLS verification
This is better for privacy and to avoid leaking netrc credentials in a
MITM attack, but also the assumption that we check the hash no longer
holds in some cases (in particular for impure derivations).

Partially reverts 5db358d4d7.

(cherry picked from commit c04bc17a5a)
2024-09-25 21:53:27 +00:00
tomberek
0446f7be8c
Merge pull request #11416 from NixOS/mergify/bp/2.19-maintenance/pr-10919
install-darwin: fix _nixbld uids for macOS sequoia (backport #10919)
2024-09-16 09:19:36 -04:00
Robert Hensing
59532228ae
Merge pull request #11479 from NixOS/mergify/bp/2.19-maintenance/pr-11473
Fix making the build directory kept by `keep-failed` readable (backport #11473)
2024-09-16 12:39:18 +02:00
Artturin
b082889590 Fix making the build directory kept by keep-failed readable
Caused by 1d3696f0fb

Without this fix the kept build directory is readable only by root

```
$ sudo ls -ld /comp-temp/nix-build-openssh-static-x86_64-unknown-linux-musl-9.8p1.drv-5
drwx------ root root 60 B Wed Sep 11 00:09:48 2024  /comp-temp/nix-build-openssh-static-x86_64-unknown-linux-musl-9.8p1.drv-5/

$ sudo ls -ld /comp-temp/nix-build-openssh-static-x86_64-unknown-linux-musl-9.8p1.drv-5/build
drwxr-xr-x nixbld1 nixbld 80 B Wed Sep 11 00:09:58 2024  /comp-temp/nix-build-openssh-static-x86_64-unknown-linux-musl-9.8p1.drv-5/build/
```

(cherry picked from commit ebebe626ff)
2024-09-11 12:54:09 +00:00
tomberek
35c27ce261
Merge branch '2.19-maintenance' into mergify/bp/2.19-maintenance/pr-10919 2024-09-10 23:41:18 -04:00
tomberek
25aea81331
Merge pull request #11475 from NixOS/mergify/bp/2.19-maintenance/pr-9639
installer: allow overriding of NIX_FIRST_BUILD_ID on darwin (backport #9639)
2024-09-10 23:22:25 -04:00
Mel Zuser
ec2d9a3328 installer: allow overriding of NIX_FIRST_BUILD_ID on darwin
because there are often already users in the 300 range and it's painful
to work around.

revives #6466

(cherry picked from commit fa4bbe53e8)
2024-09-11 01:35:11 +00:00
Robert Hensing
3bebd5b0cf
Merge pull request #11464 from NixOS/backport-11450-to-2.19-maintenance
[Backport 2.19-maintenance] [Backport 2.18-maintenance] installerScriptForGHA: aarch64-darwin
2024-09-09 19:23:35 +02:00
Robert Hensing
4ec961e9e3 installerScriptForGHA: aarch64-darwin
Backport of https://github.com/NixOS/nix/pull/11009

(cherry picked from commit 1b0805d451)
2024-09-09 16:44:02 +00:00
Emily
5e73cb895e install-darwin: increment base UID by 1 (#15)
(cherry picked from commit 11cf29b15c)
2024-09-03 23:57:08 +00:00
Travis A. Everett
d091324489 install-darwin: move nixbld gid to match first UID
(cherry picked from commit 75567423fb)

# Conflicts:
#	scripts/install-multi-user.sh
#	scripts/install-systemd-multi-user.sh
2024-09-03 23:57:08 +00:00
Travis A. Everett
18bac98815 install-darwin: fix _nixbld uids for macOS sequoia
Starting in macOS 15 Sequoia, macOS daemon UIDs are encroaching on our
default UIDs of 301-332. This commit relocates our range up to avoid
clashing with the current UIDs of 301-304 and buy us a little time
while still leaving headroom for people installing more than 32 users.

(cherry picked from commit df36ff0d1e)

# Conflicts:
#	scripts/install-darwin-multi-user.sh
2024-09-03 23:57:07 +00:00
Robert Hensing
3df4dba5e7
Merge pull request #11337 from NixOS/backport-11332-to-2.19-maintenance
[Backport 2.19-maintenance] [Backport 2.22-maintenance] fix: check to see if there are any lines before
2024-08-19 17:05:27 +02:00
Tom Bereknyei
763af319fe fix: check to see if there are any lines before
(cherry picked from commit 59db8fd62b)
(cherry picked from commit aab801db98)
2024-08-19 14:28:12 +00:00
Eelco Dolstra
8c4d8e1e7d Bump version 2024-07-08 14:16:43 +02:00
Robert Hensing
364775eaf5
Merge pull request #11048 from NixOS/backport-11046-to-2.19-maintenance
[Backport 2.19-maintenance] [Backport 2.21-maintenance] libstore: fix sandboxed builds on macOS
2024-07-05 19:33:27 +02:00
Emily
972e83aa0b libstore: fix sandboxed builds on macOS
The recent fix for CVE-2024-38531 broke the sandbox on macOS
completely. As it’s not practical to use `chroot(2)` on
macOS, the build takes place in the main filesystem tree, and the
world‐unreadable wrapper directory prevents the build from accessing
its `$TMPDIR` at all.

The macOS sandbox probably shouldn’t be treated as any kind of a
security boundary in its current state, but this specific vulnerability
wasn’t possible to exploit on macOS anyway, as creating `set{u,g}id`
binaries is blocked by sandbox policy.

Locking down the build sandbox further may be a good idea in future,
but it already has significant compatibility issues. For now, restore
the previous status quo on macOS.

Thanks to @alois31 for helping me come to a better understanding of
the vulnerability.

Fixes: 1d3696f0fb
Closes: #11002
(cherry picked from commit af2e1142b1)
(cherry picked from commit 9feee13952)
2024-07-05 15:59:22 +00:00
Emily
f59307a565 libstore: clean up the build directory properly
After the fix for CVE-2024-38531, this was only removing the nested
build directory, rather than the top‐level temporary directory.

Fixes: 1d3696f0fb
(cherry picked from commit 76e4adfaac)
(cherry picked from commit 0d68b40dda)
2024-07-05 15:59:22 +00:00
Robert Hensing
ead814bfa3
Merge pull request #11025 from NixOS/backport-11022-to-2.19-maintenance
[Backport 2.19-maintenance] Use proper struct sockpeercred for SO_PEERCRED for OpenBSD
2024-07-03 19:59:00 +02:00
kn
d8c86ee2c4 Use proper struct sockpeercred for SO_PEERCRED for OpenBSD
getsockopt(2) documents this;  ucred is wrong ("cr_" member prefix, no pid).

(cherry picked from commit 10ccdb7a41)
2024-07-03 15:57:03 +00:00
John Ericson
7b2b4d03bb Ident some CPP in nix daemon
Makes it easier for me to read.

(cherry picked from commit a09360400b)
2024-07-03 15:57:03 +00:00
Eelco Dolstra
3db5e32b39 Bump version 2024-06-27 11:14:04 +02:00
tomberek
aab22e30b1
Merge pull request from GHSA-q82p-44mg-mgh5
Fix sandbox escape 2.19
2024-06-26 18:49:22 -04:00
Eelco Dolstra
4a3c799531 Fix --no-sandbox
When sandboxing is disabled, we cannot put $TMPDIR underneath an
inaccessible directory.

(cherry picked from commit 86ca2d6d94c0581fda0c666c5e022784952f3542)
(cherry picked from commit 8f58b98770)
2024-06-21 16:40:06 +02:00
Eelco Dolstra
a7af2e9d20 Formatting
(cherry picked from commit 3af22860759509d5040ff70618247031d96a095c)
2024-06-21 16:40:03 +02:00
Eelco Dolstra
8b11eb672a Put the chroot inside a directory that isn't group/world-accessible
Previously, the .chroot directory had permission 750 or 755 (depending
on the uid-range system feature) and was owned by root/nixbld. This
makes it possible for any nixbld user (if uid-range is disabled) or
any user (if uid-range is enabled) to inspect the contents of the
chroot of an active build and maybe interfere with it (e.g. via /tmp
in the chroot, which has 1777 permission).

To prevent this, the root is now a subdirectory of .chroot, which has
permission 700 and is owned by root/root.

(cherry picked from commit af280e72fa0e62e1c2eaccfb992c0dbb6f27f895)
2024-06-21 16:40:03 +02:00
John Ericson
0cd7527998
Merge pull request #10849 from NixOS/backport-10549-to-2.19-maintenance
[Backport 2.19-maintenance] Fix exportReferencesGraph when given store subpath
2024-06-04 06:47:05 -04:00
Alyssa Ross
4628cb89eb Fix exportReferencesGraph when given store subpath
With Nix 2.3, it was possible to pass a subpath of a store path to
exportReferencesGraph:

	with import <nixpkgs> {};

	let
	  hello = writeShellScriptBin "hello" ''
	    echo ${toString builtins.currentTime}
	  '';
	in

	writeClosure [ "${hello}/bin/hello" ]

This regressed with Nix 2.4, with a very confusing error message, that
presumably indicates it was unintentional:

	error: path '/nix/store/3gl7kgjr4pwf03f0x70dgx9ln3bhl7zc-hello/bin/hello' is not in the Nix store

(cherry picked from commit 0774e8ba33)
2024-06-04 10:26:17 +00:00
Robert Hensing
7e8ea6a843
Merge pull request #10843 from NixOS/backport-9897-to-2.19-maintenance
[Backport 2.19-maintenance] libutil/url: fix git+file:./ parse error
2024-06-04 11:04:04 +02:00
Bryan Lai
c45b2b06d0 libutil/url: fix git+file:./ parse error
Previously, the "file:./" prefix was not correctly recognized in
fixGitURL; instead, it was mistaken as a file path, which resulted in a
parsed url of the form "file://file:./".

This commit fixes the issue by properly detecting the "file:" prefix.
Note, however, that unlike "file://", the "file:./" URI is _not_
standardized, but has been widely used to referred to relative file
paths. In particular, the "git+file:./" did work for nix<=2.18, and was
broken since nix 2.19.0.

Finally, this commit fixes the issue completely for the 2.19 series, but
is still inadequate for the 2.20 series due to new behaviors from the
switch to libgit2. However, it does improve the correctness of parsing
even though it is not yet a complete solution.

(cherry picked from commit 8594f3cd5a)
2024-06-04 08:27:08 +00:00
github-actions[bot]
8c6ea4ee60
remove link to relocated manual page (#10704)
fix old anchor redirects to point to the correct location

(cherry picked from commit 45697ba502)

Co-authored-by: Valentin Gagarin <valentin.gagarin@tweag.io>
2024-05-15 22:39:34 +02:00
Théophane Hufschmitt
6976a8e670 Add a release note for the build-dir hardening 2024-04-22 15:38:04 +02:00
Théophane Hufschmitt
e919c0bf8f Run the builds in a daemon-controled directory
Instead of running the builds under
`$TMPDIR/{unique-build-directory-owned-by-the-build-user}`, run them
under `$TMPDIR/{unique-build-directory-owned-by-the-daemon}/{subdir-owned-by-the-build-user}`
where the build directory is only readable and traversable by the daemon user.

This achieves two things:

1. It prevents builders from making their build directory world-readable
   (or even writeable), which would allow the outside world to interact
   with them.
2. It prevents external processes running as the build user (either
   because that somehow leaked, maybe as a consequence of 1., or because
   `build-users` isn't in use) from gaining access to the build
   directory.
2024-04-22 15:38:04 +02:00
Théophane Hufschmitt
21cd71d250 Add a test for the user sandboxing 2024-04-22 15:38:04 +02:00
Théophane Hufschmitt
7986891980
Merge pull request #10469 from NixOS/backport-10456-to-2.19-maintenance
[Backport 2.19-maintenance] Fix adding symlink to the sandbox paths
2024-04-11 15:27:21 +02:00
Théophane Hufschmitt
34611986f9 Fix permission denied when building symlink derivation which points to a symlink out of the store
Bind-mounting symlinks is apparently not possible, which is why the
thing was failing.

Fortunately, symlinks are small, so we can fallback to copy them at no cost.

Fix https://github.com/NixOS/nix/issues/9579

Co-authored-by: Artturin <Artturin@artturin.com>
(cherry picked from commit 913db9f738)
2024-04-11 12:08:19 +00:00