From b2027f70d992bd2d088e71ee5cea7637445766f9 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Wed, 20 Jul 2011 18:10:47 +0000 Subject: * Fix a huuuuge security hole in the Nix daemon. It didn't check that derivations added to the store by clients have "correct" output paths (meaning that the output paths are computed by hashing the derivation according to a certain algorithm). This means that a malicious user could craft a special .drv file to build *any* desired path in the store with any desired contents (so long as the path doesn't already exist). Then the attacker just needs to wait for a victim to come along and install the compromised path. For instance, if Alice (the attacker) knows that the latest Firefox derivation in Nixpkgs produces the path /nix/store/1a5nyfd4ajxbyy97r1fslhgrv70gj8a7-firefox-5.0.1 then (provided this path doesn't already exist) she can craft a .drv file that creates that path (i.e., has it as one of its outputs), add it to the store using "nix-store --add", and build it with "nix-store -r". So the fake .drv could write a Trojan to the Firefox path. Then, if user Bob (the victim) comes along and does $ nix-env -i firefox $ firefox he executes the Trojan injected by Alice. The fix is to have the Nix daemon verify that derivation outputs are correct (in addValidPath()). This required some refactoring to move the hash computation code to libstore. --- src/libstore/local-store.hh | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'src/libstore/local-store.hh') diff --git a/src/libstore/local-store.hh b/src/libstore/local-store.hh index f270fb7239..8cf6b66406 100644 --- a/src/libstore/local-store.hh +++ b/src/libstore/local-store.hh @@ -25,6 +25,9 @@ const int nixSchemaVersion = 6; extern string drvsLogDir; +struct Derivation; + + struct OptimiseStats { unsigned long totalFiles; @@ -255,6 +258,8 @@ private: RunningSubstituter & runningSubstituter); Path createTempDirInStore(); + + void checkDerivationOutputs(const Path & drvPath, const Derivation & drv); }; -- cgit 1.4.1