Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

trusted-public-keys in a (trusted) user's nix.conf is silently ignored #1921

Closed
LnL7 opened this issue Feb 28, 2018 · 7 comments
Closed

trusted-public-keys in a (trusted) user's nix.conf is silently ignored #1921

LnL7 opened this issue Feb 28, 2018 · 7 comments
Assignees
@shlevy
Labels
bug

Comments

@LnL7
Copy link
Member

LnL7 commented Feb 28, 2018

Configuring trusted-public-keys in ~/.config/nix/nix.conf gets silently ignored, resulting in a confusing error like this.

these paths will be fetched (0.34 MiB download, 1.80 MiB unpacked):
  /nix/store/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee-hello-2.10
warning: substituter 'https://cache.nix.example.org' does not have a valid signature for path '/nix/store/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee-hello-2.10'
error: build of '/nix/store/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee-hello-2.10.drv' failed
@dtzWill
Copy link
Member

dtzWill commented Feb 28, 2018

TIL you can have a per-user nix.conf! Neat.

@dtzWill
Copy link
Member

dtzWill commented Mar 10, 2018

This does appear to work on a single-user install, FWIW.

@LnL7
Copy link
Member Author

LnL7 commented Mar 10, 2018

Yes, from looking at the code seems to indicate trusted keys are only loaded when the daemon starts, so any changes afterwards sent by the client don't get applied.

Not allowing this is fine by me, but then the user should get an error when sending trusted keys to the daemon.

@shlevy shlevy added the backlog label Apr 1, 2018
@shlevy shlevy self-assigned this Apr 1, 2018
@domenkozar
Copy link
Member

I don't quite understand what's the security model here though. If user wants to user a binary cache for himself/herself, how is that different than building the package from source? OK, the binary cache might be malicious, but user can also build malicious Nix files.

I do understand that user A shouldn't be able to whitelist binary caches for user B.

@edolstra
Copy link
Member

Because the user can use a malicious binary cache to substitute a trojaned binary for a legitimate Nix expression, which could then be used by other users. E.g.

  • Alice builds nixpkgs.firefox with a malicious binary cache that substitutes a Trojan for /nix/store/<X>-firefox.

  • Bob later installs nixpkgs.firefox (i.e. the same, non-malicious derivation). Nix sees that /nix/store/<X>-firefox is already valid, so it has nothing to do. Bob runs Alice's Trojaned binary.

but user can also build malicious Nix files

But Alice cannot use that to hack Bob, she would have to get him to use her malicious Nix expression first.

However, this issue is about trusted users, who should have the ability to set trusted keys.

@edolstra edolstra added the bug label Apr 13, 2018
@domenkozar
Copy link
Member

@edolstra ah, good one. Thank you.

@LnL7
Copy link
Member Author

LnL7 commented Apr 14, 2018

Yeah this is specifically for trusted users. I'm not sure but I think regular users get a warning that they are not allowed to set options like this.

domenkozar pushed a commit that referenced this issue Apr 20, 2018
@edolstra @domenkozar
Fix #1921
444b921 
(cherry picked from commit d34fa2b)
Signed-off-by: Domen Kožar <[email protected]>
@dtzWill dtzWill mentioned this issue Apr 23, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@shlevy shlevy

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@domenkozar @shlevy @LnL7 @dtzWill @edolstra