about summary refs log tree commit diff
diff options
context:
space:
mode:
authorMatthew Bauer <mjbauer95@gmail.com>2019-06-27T18·22-0400
committerMatthew Bauer <mjbauer95@gmail.com>2019-06-27T18·31-0400
commitec0087df0a2da5c68363b3f4509d4545deed97a0 (patch)
tree61cfbf25433472562334950a48f11da39810a5d9
parent324a5dc92f8e50e6b637c5e67dea48c80be10837 (diff)
Don’t use entire /etc/nsswitch.conf file
The default nsswitch.conf(5) file in most distros can handle many
different things including host name, user names, groups, etc. In Nix,
we want to limit the amount of impurities that come from these things.
As a result, we should only allow nss to be used for gethostbyname(3)
and getservent(3).

/cc @Ericson2314
-rw-r--r--src/libstore/build.cc8
1 files changed, 7 insertions, 1 deletions
diff --git a/src/libstore/build.cc b/src/libstore/build.cc
index 5b38bcf3c5ec..813d7e2c2d08 100644
--- a/src/libstore/build.cc
+++ b/src/libstore/build.cc
@@ -2728,7 +2728,13 @@ void DerivationGoal::runChild()
                on. */
             if (fixedOutput) {
                 ss.push_back("/etc/resolv.conf");
-                ss.push_back("/etc/nsswitch.conf");
+
+                // Only use nss functions to resolve hosts and
+                // services. Don’t use it for anything else that may
+                // be configured for this system. This limits the
+                // potential impurities introduced in fixed outputs.
+                writeFile(chrootRootDir + "/etc/nsswitch.conf", "hosts: files dns\nservices: files\n");
+
                 ss.push_back("/etc/services");
                 ss.push_back("/etc/hosts");
                 if (pathExists("/var/run/nscd/socket"))