andrewchambers
Store owner packages / Secret
Nix/Guix do not allow packages to contain things like:
- Private files.
- Device nodes.
- Setuid binaries.
They do this to enable 'purity' in builds, and may be a worthy goal, but in some situations it can be a pain:
- You cannot deploy secrets as packages, they would be public without additional encryption. Normally in Nixos, I work around this by storing a master key in a root owned folder.
- You need a "launcher" script to install setuid links and other OS related files at boot. Nixos does this via it's activation script run by nixos-switch.
It is worth considering if we can relax this restriction for packages submitted by the store owner (root for system owned package). The way it would work is that packages submitted by the store owner, can apply post processing that is run in the context of the store owner.
During post processing, things like device nodes, permission bits etc can be changed to values that are not allowed by the typical build users.
Holding back on this feature until we get a clear idea what is needed for our hermes OS distribution.
There are some security considerations that may be blockers of this feature:
- If gc roots installed by other users can keep a privileged package alive, this creates a vulnerability as they can prevent upgrades from removing vulnerable setuid programs.