-
-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add granular access control for nix store #9287
base: master
Are you sure you want to change the base?
Conversation
This commit also enables acls in tests/init.sh which is common for all the tests. Maybe there is a way to only enable it for acls tests. Co-Authored-By: Alexander Bantyev <balsoft@balsoft.ru>
The User (resp Group) constructor will check the return value of getpwnam (resp getgrnam) and fail with an error message in case of error.
- comment out failing tests - split the test script in multiple strings - add a test that should fail if a permission is missing from a direct runtime dependency
These require enabling `acls` for all the tests (even non acls ones). Which fails at the moment (but should not).
64766bd
to
2e468f2
Compare
Before this, the getAccessStatus/setAccessStatus functions were testing the presence of the path to decide whether to access the current or future permissions. This can be incorrect if the path is already present at the start of the build. So we now decide at call site which set of permission to use.
If a path was already present at the beginning of the build, it does not need to be added to the store so its permissions may not be updated. We add a check to compate future and current permissions and repair the paths if needed to synchronize the permission.
If a folder was already imported to the store and we do not have permission to this store path, we may be able to edit the permissions if we have read access to all the files of this folder.
This way we only call ensureAccess in cases where the permissions are updated. In particular, we do not want to call ensureAccess if you depend on an already built derivation you could not build yourself, but want to use its public outputs.
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/tweag-nix-dev-update-54/39990/1 |
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/tweag-nix-dev-update-55/40996/1 |
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/secrets-in-nix-suck-and-how-to-fix-them/43822/5 |
Motivation
Add functionality to manage POSIX ACLs (access control lists) on Nix store paths (including
.drv
files) and derivation build logs.In particular:
nix store access
command with the following subcommands:info
protect
/unprotect
grant
/revoke
--protect
flag tonix build
andnix store add-*
__permissions
argument tobuiltins.derivation
, andpermissions
argument tobuiltins.path
, which allow to control the permissions on corresponding store objects.For now, all of these are hidden behind
--experimental-flags acls
Context
NixOS/rfcs#143
Implementation strategy
AccessStatus
), which can beprotected
(if NOT protected, readable and executable by everyone; else readable and executable only by entities)entities
(list of entities (users and groups) that have access to a path if it is protected)AccessStatus
on a local store and remote daemon storeAccessStatus
-esPriorities
Add 👍 to pull requests you find important.