Age | Commit message (Collapse) | Author |
|
Rather, setuid support is now always compiled in (at least on
platforms that have the setresuid system call, e.g., Linux and
FreeBSD), but it must enabled by chowning/chmodding the Nix
binaries.
|
|
|
|
simultaneously. We do this using exclusive locks on uid files in
/nix/var/nix/userpool, e.g., /nix/var/nix/userpool/123 for uid 123.
|
|
|
|
|
|
|
|
contains options for the garbage collector right now, but other
stuff can be added here later.
|
|
roots to a per-process temporary file in /nix/var/nix/temproots
while holding a write lock on that file. The garbage collector
acquires read locks on all those files, thus blocking further
progress in other Nix processes, and reads the sets of temporary
roots.
|
|
* Add /nix/var/nix/manifests directory.
|
|
svn-revision to distributions, which should fix it.
|
|
$(localstatedir)/nix/gcroots/channels).
* In setuid installations, create gcroots/tmp and gcroots/channels
group-writable.
|
|
users.
If the configure flag `--enable-setuid' is used, the Nix programs
nix-env, nix-store, etc. are installed with the setuid bit turned on
so that they are executed as the user and group specified by
`--with-nix-user=USER' and `--with-nix-group=GROUP', respectively
(with defaults `nix' and `nix').
The setuid programs drop all special privileges if they are executed
by a user who is not a member of the Nix group.
The setuid feature is a quick hack to enable sharing of a Nix
installation between users who trust each other. It is not
generally secure, since any user in the Nix group can modify (by
building an appropriate derivation) any object in the store, and for
instance inject trojans into binaries used by other users.
The setuid programs are owned by root, not the Nix user. This is
because on Unix normal users cannot change the real uid, only the
effective uid. Many programs don't work properly when the real uid
differs from the effective uid. For instance, Perl will turn on
taint mode. However, the setuid programs drop all root privileges
immediately, changing all uids and gids to the Nix user and group.
|
|
|
|
* Include bootstrap.sh in dist.
|
|
|
|
environment variables.
* Started adding some automatic tests.
* Do a `make check' when building RPMs.
|
|
|
|
is specified.
|
|
unless `--disable-init-state' is passed to configure.
|
|
|
|
|
|
|
|
* Allow extra flags to be passed to RPM.
|
|
* Respect DESTDIR variable.
|
|
|
|
GCC 2.95.
|
|
|
|
* `make dist'.
|
|
archives (using the package in corepkgs/nar).
* queryPathByHash -> expandHash, and it takes an argument specifying
the target path (which may be empty).
* Install the core Fix packages in $prefix/share/fix. TODO: bootstrap
Nix and install Nix as a Fix package.
|
|
build action for `system' packages (like system.fix) that have
dependencies on all packages we want to activate.
So the command sequence to switch to a new activation configuration
of the system would be:
$ fix -i .../fixdescriptors/system.fix
...
system.fix -> 89cf4713b37cc66989304abeb9ea189f
$ nix-switch 89cf4713b37cc66989304abeb9ea189f
* A nix-profile.sh script that can be included in .bashrc.
|
|
|