mirror of
https://github.com/NixOS/nix.git
synced 2024-11-25 00:02:25 +00:00
Nix, the purely functional package manager
a500c90375
The recent fix for CVE-2024-38531 broke the sandbox on macOS completely. As it’s not practical to use `chroot(2)` on macOS, the build takes place in the main filesystem tree, and the world‐unreadable wrapper directory prevents the build from accessing its `$TMPDIR` at all. The macOS sandbox probably shouldn’t be treated as any kind of a security boundary in its current state, but this specific vulnerability wasn’t possible to exploit on macOS anyway, as creating `set{u,g}id` binaries is blocked by sandbox policy. Locking down the build sandbox further may be a good idea in future, but it already has significant compatibility issues. For now, restore the previous status quo on macOS. Thanks to @alois31 for helping me come to a better understanding of the vulnerability. Fixes: |
||
---|---|---|
.github | ||
config | ||
contrib | ||
dep-patches | ||
doc | ||
m4 | ||
maintainers | ||
misc | ||
mk | ||
perl | ||
scripts | ||
src | ||
tests | ||
.clang-format | ||
.clang-tidy | ||
.dir-locals.el | ||
.editorconfig | ||
.gitignore | ||
.version | ||
configure.ac | ||
CONTRIBUTING.md | ||
COPYING | ||
default.nix | ||
docker.nix | ||
flake.lock | ||
flake.nix | ||
local.mk | ||
Makefile | ||
Makefile.config.in | ||
package.nix | ||
precompiled-headers.h | ||
README.md | ||
shell.nix |
Nix
Nix is a powerful package manager for Linux and other Unix systems that makes package management reliable and reproducible. Please refer to the Nix manual for more details.
Installation and first steps
Visit nix.dev for installation instructions and beginner tutorials.
Full reference documentation can be found in the Nix manual.
Building And Developing
See our Hacking guide in our manual for instruction on how to set up a development environment and build Nix from source.
Contributing
Check the contributing guide if you want to get involved with developing Nix.
Additional Resources
License
Nix is released under the LGPL v2.1.