-
-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support file paths with a dotted basename #912
Comments
Fixing this would be mighty handy for the various "manage your dotfiles with nix" tools out there. |
What actually are the security implications of allowing store names to start with a dot? Does nix reconstitute paths based on that name at some point, or is the store path just a unique key identifying the item in the store? |
Gah, I'm hitting this trying to do some dotfile management within NixOS:
Seems like an important feature for me, though looks like an activation script will have to do for now. Any more thoughts on this? |
Is this still a technical restriction or is it really for security reasons like it says here: https://github.com/NixOS/nix/blob/master/src/libstore/store-api.cc#L85-L91 A bit of discussion in the home-manager repo: nix-community/home-manager#4 (comment) |
This can be worked around with |
@shlevy that works, thanks for the tip!
|
I marked this as stale due to inactivity. → More info |
I closed this issue due to inactivity. → More info |
Oh ha (see #9095) we've gone back and forth with this since this issue was opened I guess. |
Let's track leading period support here. Nix versions that denied leading periods are currently:
|
[Backport 2.20-maintenance] #912 allow leading period
how can I check if the backports have been released? https://nixos.org/manual/nix/stable/release-notes doesn't contain release notes for patch releases, and releases on github don't seem to come with a changelog thanks! |
We have some support for minor release notes in our minor release process.
cc @edolstra |
Thanks @roberth! |
just wanted to clarify the above:
I checked 2.18.2, and it denies leading dots in paths, so the backport seems to have made it Given https://nvd.nist.gov/vuln/detail/CVE-2024-27297, and that currently only the following nix versions contain the patch for it:
the only secure option available to people which want to avoid the dot problem, is to use note that:
EDIT: just tested |
Currently, I think the logic tries to set the "derivation" name to the basename when copying a path into the store. If that basename starts with a dot, Nix moans about not being able to copy it in.
Luckily, the derivation name doesn't matter all that much in Nix, so it can really be anything we want. Perhaps we could just have the file copying code strip out any leading dots from the name, or replace them with the string "dot"? That way we could do something like this:
The text was updated successfully, but these errors were encountered: