summary refs log tree commit diff
path: root/src/libutil/serialise.hh
diff options
context:
space:
mode:
authorEelco Dolstra <e.dolstra@tudelft.nl>2006-11-30 19:54:43 +0000
committerEelco Dolstra <e.dolstra@tudelft.nl>2006-11-30 19:54:43 +0000
commit765bdfe542d3250329dea98b69db2271419f31b6 (patch)
tree3eba766da3d72f36b5ea417b79e0dc275b954135 /src/libutil/serialise.hh
parent40b3f64b55f98e03b3173541b8d94cd924099223 (diff)
downloadguix-765bdfe542d3250329dea98b69db2271419f31b6.tar.gz
* When NIX_REMOTE is set to "slave", fork off nix-worker in slave
  mode.  Presumably nix-worker would be setuid to the Nix store user.
  The worker performs all operations on the Nix store and database, so
  the caller can be completely unprivileged.

  This is already much more secure than the old setuid scheme, since
  the worker doesn't need to do Nix expression evaluation and so on.
  Most importantly, this means that it doesn't need to access any user
  files, with all resulting security risks; it only performs pure
  store operations.

  Once this works, it is easy to move to a daemon model that forks off
  a worker for connections established through a Unix domain socket.
  That would be even more secure.

Diffstat (limited to 'src/libutil/serialise.hh')
-rw-r--r--src/libutil/serialise.hh10
1 files changed, 10 insertions, 0 deletions
diff --git a/src/libutil/serialise.hh b/src/libutil/serialise.hh
index 459a693ee8..6be10b5528 100644
--- a/src/libutil/serialise.hh
+++ b/src/libutil/serialise.hh
@@ -33,6 +33,11 @@ struct FdSink : Sink
 {
     int fd;
 
+    FdSink()
+    {
+        fd = 0;
+    }
+    
     FdSink(int fd) 
     {
         this->fd = fd;
@@ -47,6 +52,11 @@ struct FdSource : Source
 {
     int fd;
 
+    FdSource()
+    {
+        fd = 0;
+    }
+    
     FdSource(int fd) 
     {
         this->fd = fd;