* When NIX_REMOTE is set to "slave", fork off nix-worker in slave

  mode.  Presumably nix-worker would be setuid to the Nix store user.
  The worker performs all operations on the Nix store and database, so
  the caller can be completely unprivileged.

  This is already much more secure than the old setuid scheme, since
  the worker doesn't need to do Nix expression evaluation and so on.
  Most importantly, this means that it doesn't need to access any user
  files, with all resulting security risks; it only performs pure
  store operations.

  Once this works, it is easy to move to a daemon model that forks off
  a worker for connections established through a Unix domain socket.
  That would be even more secure.

3 files changed, 65 insertions, 1 deletions

diff --git a/src/libstore/remote-store.cc b/src/libstore/remote-store.cc
index 27717a816a..6f3c110a3d 100644
--- a/src/libstore/remote-store.cc
+++ b/src/libstore/remote-store.cc
@@ -1,12 +1,64 @@
+#include "serialise.hh"
+#include "util.hh"
 #include "remote-store.hh"
 
+#include <iostream>
+#include <unistd.h>
+
 
 namespace nix {
 
 
 RemoteStore::RemoteStore()
 {
-    throw Error("not implemented");
+    toChild.create();
+    fromChild.create();
+
+
+    /* Start the worker. */
+    string worker = "nix-worker";
+
+    child = fork();
+    
+    switch (child) {
+        
+    case -1:
+        throw SysError("unable to fork");
+
+    case 0:
+        try { /* child */
+
+            fromChild.readSide.close();
+            if (dup2(fromChild.writeSide, STDOUT_FILENO) == -1)
+                throw SysError("dupping write side");
+
+            toChild.writeSide.close();
+            if (dup2(toChild.readSide, STDIN_FILENO) == -1)
+                throw SysError("dupping read side");
+
+            execlp(worker.c_str(), worker.c_str(),
+                "-vvv", "--slave", NULL);
+            
+            throw SysError(format("executing `%1%'") % worker);
+            
+        } catch (std::exception & e) {
+            std::cerr << format("child error: %1%\n") % e.what();
+        }
+        quickExit(1);
+    }
+
+    fromChild.writeSide.close();
+    toChild.readSide.close();
+
+    from.fd = fromChild.readSide;
+    to.fd = toChild.writeSide;
+
+    
+    /* Send the magic greeting, check for the reply. */
+    writeInt(0x6e697864, to);
+    
+    unsigned int magic = readInt(from);
+    if (magic != 0x6478696e) throw Error("protocol mismatch");
 }
 
 
diff --git a/src/libstore/remote-store.hh b/src/libstore/remote-store.hh
index 8ebe5e397e..da6911cf4f 100644
--- a/src/libstore/remote-store.hh
+++ b/src/libstore/remote-store.hh
@@ -9,6 +9,12 @@
 namespace nix {
 
 
+class Pipe;
+class Pid;
+struct FdSink;
+struct FdSource;
+
+
 class RemoteStore : public StoreAPI
 {
 public:
@@ -44,6 +50,11 @@ public:
     void ensurePath(const Path & storePath);
 
 private:
+    Pipe toChild;
+    Pipe fromChild;
+    FdSink to;
+    FdSource from;
+    Pid child;
 };
 
 
diff --git a/src/libstore/store-api.cc b/src/libstore/store-api.cc
index 092d7f1e94..9e8bc36d7f 100644
--- a/src/libstore/store-api.cc
+++ b/src/libstore/store-api.cc
@@ -91,6 +91,7 @@ Path makeFixedOutputPath(bool recursive,
 
 
 #include "local-store.hh"
+#include "serialise.hh"
 #include "remote-store.hh"