Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Nix 2.12+ allows writing to the sandbox's /etc #7813

Closed
alyssais opened this issue Feb 12, 2023 · 5 comments
Closed

Nix 2.12+ allows writing to the sandbox's /etc #7813

alyssais opened this issue Feb 12, 2023 · 5 comments
Labels
bug

Comments

@alyssais
Copy link
Member

Steps To Reproduce

$ nix-build -E 'derivation { name = "test"; builder = "/bin/sh"; args = [ "-c" ": > /etc/test" ]; system = builtins.currentSystem; }'
this derivation will be built:
  /nix/store/h50pd04icff7qh90py3c4ac72g6myjil-test.drv
building '/nix/store/h50pd04icff7qh90py3c4ac72g6myjil-test.drv'...
error: builder for '/nix/store/h50pd04icff7qh90py3c4ac72g6myjil-test.drv' failed to produce output path for output 'out' at '/nix/store/h50pd04icff7qh90py3c4ac72g6myjil-test.drv.chroot/nix/store/mf3k9v1ph0s43cdq8wqcwhlpa52s41an-test'

Expected behavior

$ nix-build -E 'derivation { name = "test"; builder = "/bin/sh"; args = [ "-c" ": > /etc/test" ]; system = builtins.currentSystem; }'
this derivation will be built:
  /nix/store/h50pd04icff7qh90py3c4ac72g6myjil-test.drv
building '/nix/store/h50pd04icff7qh90py3c4ac72g6myjil-test.drv'...
sh: can't create /etc/test: Permission denied
builder for '/nix/store/h50pd04icff7qh90py3c4ac72g6myjil-test.drv' failed with exit code 1
error: build of '/nix/store/h50pd04icff7qh90py3c4ac72g6myjil-test.drv' failed

nix-env --version output

nix-env (Nix) 2.12.0

Additional context

Introduced by #3600.

This is extremely problematic, as it makes it easy to miss packages trying to install files that will be discarded after the build. For example, NixOS/nixpkgs#214086 missed that the package now installs files into /etc. As long as OfBorg/Hydra are running affected Nix versions, we'll be unknowingly adding broken packages to Nixpkgs that won't build any more after this bug is fixed.

Priorities

Add 👍 to issues you find important.
@alyssais alyssais added the bug label Feb 12, 2023
@alyssais alyssais mentioned this issue Feb 12, 2023
Merged
16 tasks
@alyssais alyssais changed the title Nix 2.12 allows writing to /etc inside the sandbox Nix 2.12 allows writing to the sandbox's /etc Feb 12, 2023
@alyssais alyssais changed the title Nix 2.12 allows writing to the sandbox's /etc Nix 2.12+ allows writing to the sandbox's /etc Feb 13, 2023
This was referenced Feb 13, 2023
Merged
Closed
@cole-h
Copy link
Member

cole-h commented Feb 13, 2023

FYI:

NixOS/equinix-metal-builders#19 -- pins the EM Linux builders to 2.11
NixOS/infra#239 -- pins the Mac builders to 2.11

@ghost
Copy link

ghost commented Feb 14, 2023
edited by ghost
Loading

we'll be unknowingly adding broken packages to Nixpkgs that won't build any more after this bug is fixed.

I believe that this impurity has caused libinput to become broken on all versions of nix except bleeding-edge-unstable since NixOS/nixpkgs#205386

$ nix --version
nix (Nix) 2.10.3
$ nix build -f . -L libinput
...
libinput> Installing new directory /etc/libinput
libinput> Traceback (most recent call last):
...
libinput>     mkdir(name, mode)
libinput> PermissionError: [Errno 13] Permission denied: '/etc/libinput'
libinput> ERROR: Unhandled python OSError. This is probably not a Meson bug, but an issue with your build environment.

The above works after a git revert bf928e557940be4e10042b1a82d9dcce1776f6ba.

NixOS/equinix-metal-builders#19 -- pins the EM Linux builders to 2.11
NixOS/nixos-org-configurations#239 -- pins the Mac builders to 2.11

Won't that stop working when the pkgs.nixVersions.nix_2_11 expression gets deleted? (unless you're going to pin all of nixpkgs I guess). The nixpkgs-expression-for-nix maintainers have been getting exponentially more aggressive these deletions, and are now performing them within days of each new release. Apparently 2.3.16 is the only thing that is safe from this. I have a PR that attempts to make it easier to (locally) revert these deletions but that's just a mitigation, not a solution.

@alyssais
Copy link
Member Author

NixOS/equinix-metal-builders#19 -- pins the EM Linux builders to 2.11
NixOS/nixos-org-configurations#239 -- pins the Mac builders to 2.11

Won't that stop working when the pkgs.nixVersions.nix_2_11 expression gets deleted? (unless you're going to pin all of nixpkgs I guess). The nixpkgs-expression-for-nix maintainers have been getting exponentially more aggressive these deletions, and are now performing them within days of each new release. Apparently 2.3.16 is the only thing that is safe from this. I have a PR that attempts to make it easier to (locally) revert these deletions but that's just a mitigation, not a solution.

I think this is likely avoidable with a comment linking here and to the builder config repos, explaining why 2.11 needs to stick around.

@alyssais alyssais mentioned this issue Feb 14, 2023
Merged
@yorickvP yorickvP mentioned this issue Feb 14, 2023
Merged
7 tasks
@alyssais alyssais mentioned this issue Feb 14, 2023
Merged
12 tasks
alyssais added a commit to alyssais/nixpkgs that referenced this issue Feb 14, 2023
@alyssais
libinput: don't try to create /etc in build
3c318b7 
How libinput tries to create /etc changed in upstream commit
05501cd34f9c ("meson: use install_emptydir to create directory"),
so we have to update our sed expression.

This was missed in when libinput was updated in Nixpkgs due to a Nix
bug[1], which made the sandbox's /etc writeable.

[1]: NixOS/nix#7813

Fixes: bf928e5 ("libinput: 1.21.0 → 1.22.1")
@edolstra
Copy link
Member

Fixed in #7830.

alyssais added a commit to NixOS/nixpkgs that referenced this issue Feb 14, 2023
@alyssais
libinput: don't try to create /etc in build
4bcab74 
How libinput tries to create /etc changed in upstream commit
05501cd34f9c ("meson: use install_emptydir to create directory"),
so we have to update our sed expression.

This was missed in when libinput was updated in Nixpkgs due to a Nix
bug[1], which made the sandbox's /etc writeable.

[1]: NixOS/nix#7813

Fixes: bf928e5 ("libinput: 1.21.0 → 1.22.1")
@cole-h
Copy link
Member

cole-h commented Feb 14, 2023
edited
Loading

NixOS/equinix-metal-builders#19 -- pins the EM Linux builders to 2.11
NixOS/nixos-org-configurations#239 -- pins the Mac builders to 2.11

Won't that stop working when the pkgs.nixVersions.nix_2_11 expression gets deleted? (unless you're going to pin all of nixpkgs I guess). The nixpkgs-expression-for-nix maintainers have been getting exponentially more aggressive these deletions, and are now performing them within days of each new release. Apparently 2.3.16 is the only thing that is safe from this. I have a PR that attempts to make it easier to (locally) revert these deletions but that's just a mitigation, not a solution.

Well, sure, but as these are both pinned by flakes, that won't happen until Nixpkgs gets updated past the potential removal of 2.11. Nixpkgs doesn't get updated quite as frequently as you'd expect for those configurations, and I don't expect this issue to stay for very long (especially since it's fixed in master -- now it's just waiting for the backports that will hopefully come 🤞).

EDIT: backports are in, now just waiting for the release and subsequent bumps in Nixpkgs.

@cole-h cole-h mentioned this issue Feb 27, 2023
Merged
12 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@edolstra @alyssais @cole-h