Commit graph

67 commits

Author SHA1 Message Date
Anders Kaseorg
3cd8ce3bce treewide: Fix unsafe concatenation of $LD_LIBRARY_PATH
Naive concatenation of $LD_LIBRARY_PATH can result in an empty
colon-delimited segment; this tells glibc to load libraries from the
current directory, which is definitely wrong, and may be a security
vulnerability if the current directory is untrusted.  (See #67234, for
example.)  Fix this throughout the tree.

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
2020-01-15 09:47:03 +01:00
Nikolay Amiantov
06f27dc2e9 chrootenv: propagate nested chrootenv /host
To avoid symlink loops to /host in nested chrootenvs we need to remove
one level of indirection. This is also what's generally expected of
/host contents.
2019-05-30 15:34:01 +03:00
Nikolay Amiantov
7664ffbbaf chrootenv: small improvements
* Remove unused argument from pivot_root;
* Factor out tmpdir creation into a separate function;
* Remove unused fstype from bind mount;
* Use unlink instead of a treewalk to remove empty temporary directory.
2019-05-30 15:34:01 +03:00
Nikolay Amiantov
e0d3bc292c chrootenv: make stackable
The problem with stacking chrootenv before was that CLONE_NEWUSER cannot
be used when a child uses chroot. So instead of that we use pivot_root
which replaces root in the whole namespace. This requires our new root
to be an actual fs so we mount tmpfs.
2019-05-30 15:33:30 +03:00
Silvan Mosberger
b6a959b59e
Merge pull request #62040 from abbradar/chrootenv-extend
buildFHSUserEnv: extend PATH and LD_LIBRARY_PATH
2019-05-27 17:56:04 +02:00
Las
50c215df4a
Fix chrootenv segfaulting on exit
glibc 2.27 (and possibly other versions) can't handle an `nopenfd` value larger than 2^19 in `ntfw`, which is problematic if you've set the maximum number of fds per process to a value higher than that.
2019-05-26 17:19:06 +02:00
Nikolay Amiantov
668f8a12f7 buildFHSUserEnv: extend PATH and LD_LIBRARY_PATH
This allows one to run applications from PATH and override libraries for
applications inside chrootenv. Useful for development environments.
2019-05-25 11:37:01 +03:00
Pascal Bach
977d1d8413 nixos/fhsUserenv: make all locales available 2019-04-02 22:45:50 +02:00
volth
c706233f2e
buildFHSEnv: allowSubstitutes = false
trivial builder
2019-02-08 00:27:40 +00:00
Michael Eden
a3488fb9ac fix FHSUserEnv blacklists 2018-11-11 10:32:09 -05:00
Yegor Timoshenko
cea0e9226f
chrootenv: use meson 2018-11-04 11:33:34 +00:00
Piotr Bogdan
ccb76eeb3c chrootenv: strip the binary 2018-11-04 03:43:22 +00:00
Kristoffer Søholm
5e5e57c572 buildFHSUserEnv: use runScript in env (#49077)
This makes its behaviour conform to what is implied in the
documentation.
2018-10-30 22:47:08 +01:00
John Ericson
2c2f1e37d4 reewide: Purge all uses stdenv.system and top-level system
It is deprecated and will be removed after 18.09.
2018-08-30 17:20:32 -04:00
volth
52f53c69ce pkgs/*: remove unreferenced function arguments 2018-07-21 02:48:04 +00:00
Linus Heckemann
75cfbdf33b buildFHSUserEnv: change to root directory after chroot
Fixes #38525
2018-04-28 14:51:07 +01:00
Nikolay Amiantov
9db2a3e638 buildFHSEnv: export TZDIR
This is needed since NixOS keeps tzdata in non-standard /etc/zoneinfo path.
2018-03-11 02:14:49 +03:00
Nikolay Amiantov
94f0ef6628 buildFHSEnv: fix compiler search paths
Fixes OpenWrt compilation.
2018-03-10 23:57:12 +03:00
Yegor Timoshenko
4b1cf5afb8
chrootenv: rewrite on top of GLib
Changes:

* doesn't handle root user separately
* doesn't chdir("/") which makes using it seamless
* only bind mounts, doesn't symlink (i.e. files)

Incidentally, fixes #33106.

It's about two times shorter than the previous version, and much
easier to read/follow through. It uses GLib quite heavily, along with
RAII (available in GCC/Clang).
2017-12-30 22:28:38 +00:00
Yegor Timoshenko
25b35f4ffb
chrootenv: resolve potential race condition 2017-12-28 00:25:02 +00:00
Yegor Timoshenko
73a0d95b96 chrootenv: code review
* Wrap LEN macro in parantheses
* Drop env_filter in favor of stateful environ_blacklist_filter,
  use execvp instead of execvpe, don't explicitly use environ
* Add argument error logging wherever it makes sense
* Drop strjoin in favor of asprintf
* char* -> const char* where appropriate
* Handle stat errors
* Print user messages with fputs, not errorf
* Abstract away is_str_in (previously bind_blacklisted)
* Cleanup temporary directory on error
* Some minor syntactic and naming changes

Thanks to Jörg Thalheim and Tuomas Tynkkynen for the code review!
2017-12-22 18:56:13 +03:00
Yegor Timoshenko
710662be94 chrootenv: error on chrootenv-inside-chrootenv, resolves #32802 2017-12-22 18:56:13 +03:00
Yegor Timoshenko
0234cd41b4 chrootenv: replace env whitelist with blacklist, closes #32878 2017-12-22 18:56:13 +03:00
Yegor Timoshenko
c03663a145 chrootenv: bind-mount all dirs in /, symlink files, closes #32877 2017-12-22 18:56:13 +03:00
Yegor Timoshenko
ef1accae91 chrootenv: print sysctl command for Debian users, fixes #32876 2017-12-22 18:56:13 +03:00
Jörg Thalheim
438fb59e6f chroot-user: better error message, if unshare is not allowed 2017-12-09 09:14:56 +00:00
Yegor Timoshenko
edb59ee7bd chroot-user: rewrite in C, drop CHROOTENV_EXTRA_BINDS
Formatted via clang-format.
2017-11-09 19:58:55 +00:00
Nikolay Amiantov
2a036ca1a5 buildFHSEnv: fix NIX_* compiler flags
This is needed now after #27672.
2017-10-17 00:39:39 +03:00
Jamey Sharp
09bae7cb70 build-fhs-userenv: Propagate $XAUTHORITY
The `DISPLAY` environment variable is propagated into chroots built with
`buildFHSUserEnv`, but currently the `XAUTHORITY` variable is not. When
the latter is set, its value is usually necessary in order to connect to
the X server identified by the former.

This matters for users running gdm3, for example, who have `XAUTHORITY`
set to something like `/run/user/1000/gdm/Xauthority` instead of the X
default of `~/.Xauthority`, which doesn't exist in that setup.

Fixes #21532.
2017-07-18 00:03:22 -07:00
Nikolay Amiantov
54bbf91479 buildFHSEnv: add ACLOCAL_PATH
Fixes #24620.
2017-04-12 14:43:08 +03:00
Parnell Springmeyer
4aa0923009
Getting rid of the var indirection and using a bin path instead 2017-01-29 04:11:01 -06:00
Parnell Springmeyer
e92b8402b0
Addressing PR feedback 2017-01-28 20:48:03 -08:00
Parnell Springmeyer
bae00e8aa8
setcap-wrapper: Merging with upstream master and resolving conflicts 2017-01-25 11:08:05 -08:00
Nikolay Amiantov
7a73ecc18e buildFHSEnv: link /etc/zoneinfo
This is needed because now /etc/localtime symlink points there.
2016-10-11 16:56:11 +03:00
Parnell Springmeyer
98c058a1ee Adapting everything for the merged permissions wrappers work. 2016-09-01 19:21:06 -05:00
Benno Fünfstück
a368b27270 fhs-user-env: keep DBUS_SESSION_BUS_ADDRESS env
Steam requires this variable or some games run incredibly slow.
See ValveSoftware/Dota-2#921 for more information.
2016-06-28 23:55:43 +02:00
Nikolay Amiantov
5cec134c70 buildFHSUserEnv: don't set CHROOTENV_EXTRA_BINDS 2016-06-28 18:59:33 +03:00
Nikolay Amiantov
3d8664ee42 buildFHSUserEnv: mark CHROOTENV_EXTRA_BINDS as discussed for deprecation 2016-06-07 14:22:38 +03:00
Nikolay Amiantov
3e90b00c10 buildFHSEnv: link 'bin' output 2016-06-07 04:06:35 +03:00
Nikolay Amiantov
8d9e5d297d buildFHSEnv: don't link GCC compiler part 2016-06-07 04:06:35 +03:00
Nikolay Amiantov
74107a7867 buildFHSEnv: refactor and simplify, drop buildFHSChrootEnv
This takes another approach at binding FHS directory structure. We
now bind-mount all the root filesystem to directory "/host" in the target tree.
From that we symlink all the directories into the tree if they do not already
exist in FHS structure.

This probably makes `CHROOTENV_EXTRA_BINDS` unnecessary -- its main usecase was
to add bound directories from the host to the sandbox, and we not just symlink
all of them. I plan to get some feedback on its usage and maybe deprecate it.

This also drops old `buildFHSChrootEnv` infrastructure. The main problem with it
is it's very difficult to unmount a recursive-bound directory when mount is not
sandboxed. This problem is a bug even without these changes -- if
you have for example `/home/alice` mounted to somewhere, you wouldn't see
it in `buildFHSChrootEnv` now. With the new directory structure, it's
impossible to use regular bind at all. After some tackling with this I realized
that the fix would be brittle and dangerous (if you don't unmount everything
clearly and proceed to removing the temporary directory, bye-bye fs!). It also
probably doesn't worth it because I haven't heard that someone actually uses it
for a long time, and `buildFHSUserEnv` should cover most cases while being much
more maintainable and safe for the end-user.
2016-06-07 04:06:35 +03:00
Nikolay Amiantov
ca38376566 buildFHSUserEnv: don't run bash in login mode for .env
Fixes https://github.com/NixOS/nixpkgs/issues/12406 for `.env`
2016-05-20 14:17:49 +03:00
Nikolay Amiantov
375c410d07 userFHSEnv: add passthru, rename meta 2016-04-03 04:19:58 +03:00
Nikolay Amiantov
a5322efd95 Revert "Remove PATH assumption from fhs-userenv."
This reverts commit 2f26b82411.

This breaks terminfo in Bash for some reason (i.e. TAB and other
special keys).
2016-03-29 17:58:07 +03:00
Nikolay Amiantov
f18317885a fhs-userenv: don't use bash login mode
Login mode can cause hidden problems, e.g. #12406. Generally we don't want
to read user's .bash_profile when we don't start an interactive shell inside
a chroot.
2016-01-23 15:55:53 +03:00
lethalman
091c74b1c8 Merge pull request #12062 from mogorman/platformio
platformio: init at 2.7.0
2016-01-13 15:47:25 +01:00
Matthew O'Gorman
c87ef76027
build-fhs-userenv: added the option meta to be passed down to the final derivation. 2016-01-06 04:06:28 -05:00
Nikolay Amiantov
230898ceb2 chrootenv-user: don't unshare user namespace if we are root 2015-12-17 14:21:06 +03:00
Kevin Cox
2f26b82411 Remove PATH assumption from fhs-userenv.
Previously is was assumed that bash was in the path when calling the
environment setup script. This changes all of the references of bash to
be absolute paths so that the user doesn't have to worry about the
environment they call it with.
2015-12-14 11:14:53 -05:00
zimbatm
9b33ec1764 build-fhs-userenv: don't leak file descriptors
This re-uses the capabilities documented in `Process.spawn` to avoid leaking
unecessary file-descriptors to the sandbox
2015-12-10 16:01:04 +00:00