diff options
-rw-r--r-- | doc/manual/installation.xml | 15 | ||||
-rw-r--r-- | src/libexpr/parser.y | 9 | ||||
-rw-r--r-- | src/nix-env/nix-env.cc | 5 |
3 files changed, 22 insertions, 7 deletions
diff --git a/doc/manual/installation.xml b/doc/manual/installation.xml index 9d80351298b1..b6cc6e7f9bbd 100644 --- a/doc/manual/installation.xml +++ b/doc/manual/installation.xml @@ -205,6 +205,21 @@ on systems that have the <function>setresuid()</function> system call (such as Linux and FreeBSD), so on those systems the binaries are simply owned by the Nix user.</para></warning> + + +<!-- + +warning: the nix-builders group should contain *only* the Nix +builders, and nothing else. If the Nix account is compromised, you +can execute programs under the accounts in the nix-builders group, so +it obviously shouldn’t contain any “real” user accounts. So don’t use +an existing group like <literal>users</literal> — just create a new +one. + +--> + + + </section> </section> diff --git a/src/libexpr/parser.y b/src/libexpr/parser.y index 8ac3345c1f2e..3540058bc1e0 100644 --- a/src/libexpr/parser.y +++ b/src/libexpr/parser.y @@ -369,9 +369,12 @@ Expr parseExprFromFile(EvalState & state, Path path) /* If `path' is a symlink, follow it. This is so that relative path references work. */ struct stat st; - if (lstat(path.c_str(), &st)) - throw SysError(format("getting status of `%1%'") % path); - if (S_ISLNK(st.st_mode)) path = absPath(readLink(path), dirOf(path)); + while (true) { + if (lstat(path.c_str(), &st)) + throw SysError(format("getting status of `%1%'") % path); + if (!S_ISLNK(st.st_mode)) break; + path = absPath(readLink(path), dirOf(path)); + } /* If `path' refers to a directory, append `/default.nix'. */ if (stat(path.c_str(), &st)) diff --git a/src/nix-env/nix-env.cc b/src/nix-env/nix-env.cc index 04641697f1bd..113f49ccb3e4 100644 --- a/src/nix-env/nix-env.cc +++ b/src/nix-env/nix-env.cc @@ -1113,10 +1113,7 @@ static void opDefaultExpr(Globals & globals, if (opArgs.size() != 1) throw UsageError(format("exactly one argument expected")); - Path defNixExpr = absPath(opArgs.front()); - Path defNixExprLink = getDefNixExprPath(); - - switchLink(defNixExprLink, defNixExpr); + switchLink(getDefNixExprPath(), absPath(opArgs.front())); } |