nix-gh

Go to file

aszlig 43e28a1b75 Fix symlink leak in restricted eval mode In EvalState::checkSourcePath, the path is checked against the list of allowed paths first and later it's checked again after resolving symlinks. The resolving of the symlinks is done via canonPath, which also strips out "../" and "./". However after the canonicalisation the error message pointing out that the path is not allowed prints the symlink target in the error message. Even if we'd suppress the message, symlink targets could still be leaked if the symlink target doesn't exist (in this case the error is thrown in canonPath). So instead, we now do canonPath() without symlink resolving first before even checking against the list of allowed paths and then later do the symlink resolving and checking the allowed paths again. The first call to canonPath() should get rid of all the "../" and "./", so in theory the only way to leak a symlink if the attacker is able to put a symlink in one of the paths allowed by restricted evaluation mode. For the latter I don't think this is part of the threat model, because if the attacker can write to that path, the attack vector is even larger. Signed-off-by: aszlig <aszlig@nix.build>		2018-08-03 06:46:43 +02:00
.github	Rename 1.12 -> 2.0	2018-01-31 18:58:45 +01:00
config	Add config.guess, config.sub and install-sh	2013-11-25 11:26:02 +00:00
corepkgs	Make <nix/buildenv.nix> a builtin builder	2018-03-20 17:28:09 +01:00
doc/manual	manual: builtins.fromJSON: remove the claim that floats are not allowed	2018-06-10 14:20:18 +02:00
maintainers	upload-release.pl: Copy the install script and sign everything	2018-05-31 11:58:10 +02:00
misc	docker: move the docker file to https://github.com/NixOS/docker	2018-06-21 19:13:04 +02:00
mk	Fix missing $DESTDIR when installing programs	2018-04-08 18:22:10 -07:00
perl	Modularize config settings	2018-05-30 13:28:01 +02:00
scripts	release.nix: Generate the installer script	2018-05-30 17:40:08 +02:00
src	Fix symlink leak in restricted eval mode	2018-08-03 06:46:43 +02:00
tests	Fix symlink leak in restricted eval mode	2018-08-03 06:46:43 +02:00
.dir-locals.el	Add .dir-locals.el for Emacs	2016-01-28 11:12:04 +01:00
.editorconfig	Add .editorconfig	2017-06-05 22:57:28 +01:00
.gitignore	Make <nix/buildenv.nix> a builtin builder	2018-03-20 17:28:09 +01:00
.travis.yml	Test the installer	2017-07-14 12:11:04 -04:00
COPYING	* Change this to LGPL to keep the government happy.	2006-04-25 16:41:06 +00:00
Makefile	Merge pull request #1997 from dtzWill/fix/cxx14-std-consistency	2018-03-20 18:29:05 +01:00
Makefile.config.in	configure: Add a flag to disable seccomp.	2018-02-18 02:35:01 -05:00
README.md	Fix minor grammatical nitpick ("it's" vs. "its") in `README.md`.	2017-03-22 10:11:23 -04:00
bootstrap.sh	bootstrap: Simplify & make more robust.	2011-09-06 12:11:05 +00:00
configure.ac	Use $CPPFLAGS when detecting version of aws-sdk-cpp	2018-04-06 00:25:34 -07:00
local.mk	Use boost::format from the boost package	2018-03-14 19:24:04 +01:00
nix.spec.in	Cleanup of nix.spec file to allow build on EL7 and beyond	2018-05-09 18:16:39 +02:00
release-common.nix	Include cpptoml for build simplicity	2018-07-03 18:39:36 +02:00
release.nix	release.nix: Generate the installer script	2018-05-30 17:40:08 +02:00
shell.nix	Fix build on non-x86_64-linux	2018-03-19 11:57:34 +01:00
version	bump version to 2.1	2018-04-10 22:58:25 +02:00

README.md

Nix, the purely functional package manager

Nix is a new take on package management that is fairly unique. Because of its purity aspects, a lot of issues found in traditional package managers don't appear with Nix.

To find out more about the tool, usage and installation instructions, please read the manual, which is available on the Nix website at http://nixos.org/nix/manual.

Contributing

Take a look at the Hacking Section of the manual. It helps you to get started with building Nix from source.

License

Nix is released under the LGPL v2.1

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit.