Age | Commit message (Collapse) | Author | Files | Lines |
|
users.
If the configure flag `--enable-setuid' is used, the Nix programs
nix-env, nix-store, etc. are installed with the setuid bit turned on
so that they are executed as the user and group specified by
`--with-nix-user=USER' and `--with-nix-group=GROUP', respectively
(with defaults `nix' and `nix').
The setuid programs drop all special privileges if they are executed
by a user who is not a member of the Nix group.
The setuid feature is a quick hack to enable sharing of a Nix
installation between users who trust each other. It is not
generally secure, since any user in the Nix group can modify (by
building an appropriate derivation) any object in the store, and for
instance inject trojans into binaries used by other users.
The setuid programs are owned by root, not the Nix user. This is
because on Unix normal users cannot change the real uid, only the
effective uid. Many programs don't work properly when the real uid
differs from the effective uid. For instance, Perl will turn on
taint mode. However, the setuid programs drop all root privileges
immediately, changing all uids and gids to the Nix user and group.
|
|
Nix expressions.
To subscribe to a channel (needs to be done only once):
nix-channel --add \
http://catamaran.labs.cs.uu.nl/dist/nix/channels/nixpkgs-unstable
This just adds the given URL to ~/.nix-channels (which can also be
edited manually).
To update from all channels:
nix-channel --update
This fetches the latest expressions and pulls cache manifests. The
default Nix expression (~/.nix-defexpr) is made to point to the
conjunction of the expressions downloaded from all channels.
So to update all installed derivations in the current user
environment:
nix-channel --update
nix-env --upgrade '*'
If you are really courageous, you can put this in a cronjob or
something.
You can subscribe to multiple channels. It is not entirely clear
what happens when there are name clashes between derivations from
different channels. From nix-env/main.cc it appears that the one
with the lowest (highest?) hash will be used, which is pretty
meaningless.
|
|
environment variable. This is useful for passing authentication
information (it won't show up in `ps'). Hacky - nix-push should
abstract over the use of Curl.
|
|
* Made the dependencies on bzip2 and the shell explicit.
|
|
|
|
Otherwise the substitute mechanism can break in subtle ways.
|
|
* nix-pull now requires the full url to the manifest, i.e.,
`/MANIFEST/' is no longer automatically appended.
* nix-prefetch-url works again.
|
|
* Use curl instead of wget.
|
|
files. Target location is no longer hard-coded; it accepts a number
of URLs on the command line.
* `nix-install-package': compatibility fixes.
|
|
|
|
|
|
"i686-linux" instead of "i686-suse-linux").
|
|
|
|
|
|
* Fixed svn:ignore on externals/.
|
|
fstate -> Nix expression).
* Fix src/test.cc.
|
|
* nar.sh needs a path.
|
|
|
|
use `--query --generators' anymore.
|
|
* When pushing, put the hash in the file name so that the
client can verify (proof-carrying file names?).
|
|
number of bytes, e.g., in case of a signal like SIGSTOP.
This caused `nix --dump' to fail sometimes.
Note that this bug went unnoticed because the call to `nix
--dump' is in a pipeline, and the shell ignores non-zero
exit codes from all but the last element in the pipeline.
Is there any way to check the result of the initial elements
in the pipeline? (In other words, is it at all possible to
write reliable shell scripts?)
|
|
|
|
etc. correctly.
* Fixed nix-switch.
|