Skip to content

add default exception for nix #1581

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
matt-phylum merged 1 commit into from
Mar 3, 2025
Merged

add default exception for nix #1581

matt-phylum merged 1 commit into from
Mar 3, 2025

Conversation

@matt-phylum
Copy link
Contributor

@matt-phylum matt-phylum commented Mar 3, 2025

With Nix (including NixOS), software is installed into /nix/store and resolved using environment variables or configuration files or symbolic links. For example, if you install the jdk package your java installation will be somewhere like /nix/store/3dhyjzr2j852wxgsaij64xgm74h6wgfp-openjdk-21.0.5+11/bin/java and resolved using symbolic links or PATH depending on the installation method. Therefore, if /nix/store isn't readable and executable you won't be able to run anything installed using Nix (or practically anything at all on NixOS).

There is a chance that this allows a malicious package to read sensitive files under /nix/store. This should be uncommon. Users aren't supposed to put secrets directly into the Nix store because the files all have 0444 or 0555 permissions. However, it doesn't seem unlikely that a user might be using Nix to build private source code, which would leave a copy of that source code in the store where it would be made accessible by this change. I doubt it's a big enough deal that Nix support would require querying for and whitelisting specific packages.

Checklist

  • Does this PR have an associated issue (i.e., closes #<issueNum> in description above)?
  • Have you ensured that you have met the expected acceptance criteria?
  • Have you created sufficient tests?
  • Have you updated all affected documentation?
  • Have you updated CHANGELOG.md (or extensions/CHANGELOG.md), if applicable

@matt-phylum matt-phylum requested a review from a team as a code owner March 3, 2025 15:03
@matt-phylum matt-phylum requested a review from mhorner-vera March 3, 2025 15:03
@matt-phylum
Copy link
Contributor Author

matt-phylum commented Mar 3, 2025

This also applies to ld.so on NixOS, which will be somewhere like /nix/store/pzdwqz1l5w8xyk1aqyb53r87kdalxc7f-glibc-2.40-36-bin/bin/ld.so.

maxrake
maxrake approved these changes Mar 3, 2025
View reviewed changes
Copy link
Contributor

@maxrake maxrake left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@matt-phylum matt-phylum merged commit 2f63333 into main Mar 3, 2025
17 checks passed
@matt-phylum matt-phylum deleted the matt/exceptions branch March 3, 2025 16:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@maxrake maxrake maxrake approved these changes

@cd-work cd-work cd-work approved these changes

@mhorner-vera mhorner-vera Awaiting requested review from mhorner-vera mhorner-vera is a code owner automatically assigned from phylum-dev/user-components

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@matt-phylum @maxrake @cd-work