about summary refs log tree commit diff
path: root/src/libstore/store-api.cc
AgeCommit message (Collapse)AuthorFilesLines
2011-07-20 * Fix a huuuuge security hole in the Nix daemon. It didn't check thatEelco Dolstra1-3/+21
derivations added to the store by clients have "correct" output paths (meaning that the output paths are computed by hashing the derivation according to a certain algorithm). This means that a malicious user could craft a special .drv file to build *any* desired path in the store with any desired contents (so long as the path doesn't already exist). Then the attacker just needs to wait for a victim to come along and install the compromised path. For instance, if Alice (the attacker) knows that the latest Firefox derivation in Nixpkgs produces the path /nix/store/1a5nyfd4ajxbyy97r1fslhgrv70gj8a7-firefox-5.0.1 then (provided this path doesn't already exist) she can craft a .drv file that creates that path (i.e., has it as one of its outputs), add it to the store using "nix-store --add", and build it with "nix-store -r". So the fake .drv could write a Trojan to the Firefox path. Then, if user Bob (the victim) comes along and does $ nix-env -i firefox $ firefox he executes the Trojan injected by Alice. The fix is to have the Nix daemon verify that derivation outputs are correct (in addValidPath()). This required some refactoring to move the hash computation code to libstore.
2010-11-16 * Store the size of a store path in the database (to be precise, theEelco Dolstra1-10/+13
size of the NAR serialisation of the path, i.e., `nix-store --dump PATH'). This is useful for Hydra.
2010-02-22 * Revert r19650 (implement gc-keep-outputs by looking for derivationsEelco Dolstra1-13/+0
with the same name as the output) and instead use the DerivationOutputs table in the database, which is the correct way to to do things.
2010-01-25 * Make the garbage collector do the right thing when `gc-keep-outputs'Eelco Dolstra1-0/+13
is enabled by not depending on the deriver.
2009-11-20 * Remove the --use-atime / --max-atime garbage collector flags. ManyEelco Dolstra1-2/+0
(Linux) machines no longer maintain the atime because it's too expensive, and on the machines where --use-atime is useful (like the buildfarm), reading the atimes on the entire Nix store takes way too much time to make it practical.
2009-04-21 * Use foreach in a lot of places.Eelco Dolstra1-8/+5
2009-03-26 * Don't use ULLONG_MAX in maxFreed - use 0 to mean "no limit".Eelco Dolstra1-7/+1
18446744073709551615ULL breaks on GCC 3.3.6 (`integer constant is too large for "long" type').
2008-12-04 * Build on Debian 4.0 (GCC 4.1.1).Eelco Dolstra1-1/+1
2008-12-03 * Pass HashType values instead of strings.Eelco Dolstra1-5/+6
2008-12-03 * Unify the treatment of sources copied to the store, and recursiveEelco Dolstra1-27/+84
SHA-256 outputs of fixed-output derivations. I.e. they now produce the same store path: $ nix-store --add x /nix/store/j2fq9qxvvxgqymvpszhs773ncci45xsj-x $ nix-store --add-fixed --recursive sha256 x /nix/store/j2fq9qxvvxgqymvpszhs773ncci45xsj-x the latter being the same as the path that a derivation derivation { name = "x"; outputHashAlgo = "sha256"; outputHashMode = "recursive"; outputHash = "..."; ... }; produces. This does change the output path for such fixed-output derivations. Fortunately they are quite rare. The most common use is fetchsvn calls with SHA-256 hashes. (There are a handful of those is Nixpkgs, mostly unstable development packages.) * Documented the computation of store paths (in store-api.cc).
2008-10-16 * Bug fix for building on some old installations (contributed by Pjotr).Eelco Dolstra1-0/+6
2008-09-17 * GC option `--max-atime' that specifies an upper limit to the lastEelco Dolstra1-0/+1
accessed time of paths that may be deleted. Anything more recently used won't be deleted. The time is specified in time_t, e.g. seconds since 1970-01-01 00:00:00 UTC; use `date +%s' to convert to time_t from the command line. Example: to delete everything that hasn't been used in the last two months: $ nix-store --gc -v --max-atime $(date +%s -d "2 months ago")
2008-09-17 * Garbage collector: added an option `--use-atime' to delete paths inEelco Dolstra1-0/+1
order of ascending last access time. This is useful in conjunction with --max-freed or --max-links to prefer deleting non-recently used garbage, which is good (especially in the build farm) since garbage may become live again. The code could easily be modified to accept other criteria for ordering garbage by changing the comparison operator used by the priority queue in collectGarbage().
2008-08-02 * Make nix-env --dry-run print the paths to be substituted correctlyEelco Dolstra1-7/+0
again. (After the previous substituter mechanism refactoring I didn't update the code that obtains the references of substitutable paths.) This required some refactoring: the substituter programs are now kept running and receive/respond to info requests via stdin/stdout.
2008-06-18 (no commit message)Eelco Dolstra1-1/+1
2008-06-18 * Garbage collector: option `--max-freed' to stop after at least NEelco Dolstra1-0/+11
bytes have been freed, `--max-links' to stop when the Nix store directory has fewer than N hard links (the latter being important for very large Nix stores on filesystems with a 32000 subdirectories limit).
2008-06-09 * Merged the no-bdb branch (-r10900:HEADEelco Dolstra1-2/+15
https://svn.nixos.org/repos/nix/nix/branches/no-bdb).
2008-01-29 * nix-store --dump-db / --load-db to dump/load the Nix DB.Eelco Dolstra1-1/+37
* nix-store --register-validity: option to supply the content hash of each path. * Removed compatibility with Nix <= 0.7 stores.
2007-11-29 * nix-env -e: support uninstalling by path, so that one can sayEelco Dolstra1-0/+20
$ nix-env -e $(which firefox) or $ nix-env -e /nix/store/nywzlygrkfcgz7dfmhm5xixlx1l0m60v-pan-0.132 * nix-env -i: if an argument contains a slash anywhere, treat it as a path and follow it through symlinks into the Nix store. This allows things like $ nix-build -A firefox $ nix-env -i ./result * nix-env -q/-i/-e: don't complain when the `*' selector doesn't match anything. In particular, `nix-env -q \*' doesn't fail anymore on an empty profile.
2007-08-12 * Get rid of the substitutes database table (NIX-47). Instead, if weEelco Dolstra1-1/+20
need any info on substitutable paths, we just call the substituters (such as download-using-manifests.pl) directly. This means that it's no longer necessary for nix-pull to register substitutes or for nix-channel to clear them, which makes those operations much faster (NIX-95). Also, we don't have to worry about keeping nix-pull manifests (in /nix/var/nix/manifests) and the database in sync with each other. The downside is that there is some overhead in calling an external program to get the substitutes info. For instance, "nix-env -qas" takes a bit longer. Abolishing the substitutes table also makes the logic in local-store.cc simpler, as we don't need to store info for invalid paths. On the downside, you cannot do things like "nix-store -qR" on a substitutable but invalid path (but nobody did that anyway). * Never catch interrupts (the Interrupted exception).
2007-01-29 * Doh!Eelco Dolstra1-2/+0
2007-01-29 * computeStorePathForText: take the references into account whenEelco Dolstra1-2/+13
computing the store path (NIX-77). This is an important security property in multi-user Nix stores. Note that this changes the store paths of derivations (since the derivation aterms are added using addTextToStore), but not most outputs (unless they use builtins.toFile).
2006-12-12 * New primop builtins.filterSource, which can be used to filter filesEelco Dolstra1-3/+3
from a source directory. All files for which a predicate function returns true are copied to the store. Typical example is to leave out the .svn directory: stdenv.mkDerivation { ... src = builtins.filterSource (path: baseNameOf (toString path) != ".svn") ./source-dir; # as opposed to # src = ./source-dir; } This is important because the .svn directory influences the hash in a rather unpredictable and variable way.
2006-12-04 * Refactoring.Eelco Dolstra1-4/+2
2006-12-02 * Remove SwitchToOriginalUser, we're not going to need it anymore.Eelco Dolstra1-12/+2
2006-12-01 * Merge addToStore and addToStoreFixed.Eelco Dolstra1-2/+2
* addToStore now adds unconditionally, it doesn't use readOnlyMode. Read-only operation is up to the caller (who can call computeStorePathForPath).
2006-12-01 * More operations.Eelco Dolstra1-1/+39
* addToStore() and friends: don't do a round-trip to the worker if we're only interested in the path (i.e., in read-only mode).
2006-11-30 * More remote operations.Eelco Dolstra1-0/+6
* Added new operation hasSubstitutes(), which is more efficient than querySubstitutes().size() > 0.
2006-11-30 * When NIX_REMOTE is set to "slave", fork off nix-worker in slaveEelco Dolstra1-0/+1
mode. Presumably nix-worker would be setuid to the Nix store user. The worker performs all operations on the Nix store and database, so the caller can be completely unprivileged. This is already much more secure than the old setuid scheme, since the worker doesn't need to do Nix expression evaluation and so on. Most importantly, this means that it doesn't need to access any user files, with all resulting security risks; it only performs pure store operations. Once this works, it is easy to move to a daemon model that forks off a worker for connections established through a Unix domain socket. That would be even more secure.
2006-11-30 * Skeleton of remote store implementation.Eelco Dolstra1-1/+8
2006-11-30 * Refactoring. There is now an abstract interface class StoreAPIEelco Dolstra1-0/+107
containing functions that operate on the Nix store. One implementation is LocalStore, which operates on the Nix store directly. The next step, to enable secure multi-user Nix, is to create a different implementation RemoteStore that talks to a privileged daemon process that uses LocalStore to perform the actual operations.