Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add granular access control for nix store #9287

Draft
wants to merge 61 commits into
base: master
Choose a base branch
from
Draft

Conversation

balsoft
Copy link
Member

@balsoft balsoft commented Nov 3, 2023

Motivation

Add functionality to manage POSIX ACLs (access control lists) on Nix store paths (including .drv files) and derivation build logs.

In particular:

  • Adds a nix store access command with the following subcommands:
    • info
    • protect / unprotect
    • grant / revoke
  • Adds a --protect flag to nix build and nix store add-*
  • Adds __permissions argument to builtins.derivation, and permissions argument to builtins.path, which allow to control the permissions on corresponding store objects.

For now, all of these are hidden behind --experimental-flags acls

Context

NixOS/rfcs#143

Implementation strategy

  • Add a C++ interface for POSIX ACLs
  • Add a Nix data structure to describe ACLs of a store path (AccessStatus), which can be
    • protected (if NOT protected, readable and executable by everyone; else readable and executable only by entities)
    • entities (list of entities (users and groups) that have access to a path if it is protected)
  • Implement setting and getting AccessStatus on a local store and remote daemon store
    • If the path/derivation does not exist yet, apply the AccessStatus as soon as the path appears
  • Add CLI subcommands and language primitives to manage AccessStatus-es

Priorities

Add 👍 to pull requests you find important.

@github-actions github-actions bot added documentation new-cli Relating to the "nix" command store Issues and pull requests concerning the Nix store labels Nov 3, 2023
ylecornec and others added 11 commits November 14, 2023 10:57
This commit also enables acls in tests/init.sh which is common for all the tests. Maybe there is a way to only enable it for acls tests.

Co-Authored-By: Alexander Bantyev <balsoft@balsoft.ru>
The User (resp Group) constructor will check the return value of getpwnam (resp getgrnam) and fail with an error message in case of error.
- comment out failing tests
- split the test script in multiple strings
- add a test that should fail if a permission is missing from a direct runtime dependency
These require enabling `acls` for all the tests (even non acls ones). Which fails at the moment (but should not).
@github-actions github-actions bot added the with-tests Issues related to testing. PRs with tests have some priority label Dec 5, 2023
Before this, the getAccessStatus/setAccessStatus functions were testing the presence of the path to decide whether to access the current or future permissions. This can be incorrect if the path is already present at the start of the build. So we now decide at call site which set of permission to use.
If a path was already present at the beginning of the build, it does not need to be added to the store so its permissions may not be updated.
We add a check to compate future and current permissions and repair the paths if needed to synchronize the permission.
@nixos-discourse
Copy link

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/tweag-nix-dev-update-54/39990/1

@nixos-discourse
Copy link

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/tweag-nix-dev-update-55/40996/1

@nixos-discourse
Copy link

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/secrets-in-nix-suck-and-how-to-fix-them/43822/5

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
documentation new-cli Relating to the "nix" command store Issues and pull requests concerning the Nix store with-tests Issues related to testing. PRs with tests have some priority
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants