Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add granular access control for nix store #9287

Draft
wants to merge 61 commits into
base: master
Choose a base branch
from
Draft

Add granular access control for nix store #9287

wants to merge 61 commits into from

Conversation

balsoft
Copy link
Member

@balsoft balsoft commented Nov 3, 2023

Motivation

Add functionality to manage POSIX ACLs (access control lists) on Nix store paths (including .drv files) and derivation build logs.

In particular:

  • Adds a nix store access command with the following subcommands:
    • info
    • protect / unprotect
    • grant / revoke
  • Adds a --protect flag to nix build and nix store add-*
  • Adds __permissions argument to builtins.derivation, and permissions argument to builtins.path, which allow to control the permissions on corresponding store objects.

For now, all of these are hidden behind --experimental-flags acls

Context

NixOS/rfcs#143

Implementation strategy

  • Add a C++ interface for POSIX ACLs
  • Add a Nix data structure to describe ACLs of a store path (AccessStatus), which can be
    • protected (if NOT protected, readable and executable by everyone; else readable and executable only by entities)
    • entities (list of entities (users and groups) that have access to a path if it is protected)
  • Implement setting and getting AccessStatus on a local store and remote daemon store
    • If the path/derivation does not exist yet, apply the AccessStatus as soon as the path appears
  • Add CLI subcommands and language primitives to manage AccessStatus-es

Priorities

Add 👍 to pull requests you find important.

@github-actions github-actions bot added documentation new-cli Relating to the "nix" command store Issues and pull requests concerning the Nix store labels Nov 3, 2023
@infinisil infinisil mentioned this pull request Nov 7, 2023
Draft
ylecornec and others added 11 commits November 14, 2023 10:57
@ylecornec @balsoft
Add tests/acls.sh
bd56e3e 
This commit also enables acls in tests/init.sh which is common for all the tests. Maybe there is a way to only enable it for acls tests.

Co-Authored-By: Alexander Bantyev <[email protected]>
@ylecornec
acls grant/revoke: Error if group or user does not exists
db3a522 
The User (resp Group) constructor will check the return value of getpwnam (resp getgrnam) and fail with an error message in case of error.
@ylecornec
Acls test: permission of dependency.
aba3181
@ylecornec
revokeBuildUserAccess: only revoke permissions added by grantBuildUse…
8dbea38 
…rAccess
@ylecornec
Acls: add test that revokes the permission of a runtime dependency.
14e474c
@ylecornec
Acls: Refactor integration tests
afd828b 
- comment out failing tests
- split the test script in multiple strings
- add a test that should fail if a permission is missing from a direct runtime dependency
@ylecornec
Acls: disable non integration tests for now
5d97559 
These require enabling `acls` for all the tests (even non acls ones). Which fails at the moment (but should not).
@balsoft
Add json() to AccessStatus
65fe86f
@balsoft
Add protectByDefault setting
db20d22
@balsoft
Add runtime closure invariant
1102fdd
@balsoft
Run acls.sh test properly
6293167
@github-actions github-actions bot added the with-tests Issues related to testing. PRs with tests have some priority label Dec 5, 2023
@ylecornec
Acls: Add tests where a public output depend on a private one
9d6c011
@ylecornec
Acls: explicitely access future or current permissions
1ed4965 
Before this, the getAccessStatus/setAccessStatus functions were testing the presence of the path to decide whether to access the current or future permissions. This can be incorrect if the path is already present at the start of the build. So we now decide at call site which set of permission to use.
@ylecornec
Acls: remove some permission adding code which may not be needed anymore
f9e2c4b
@ylecornec
Acls: Also add future permission to paths of StoreObjectDerivationOutput
0c625b0
@ylecornec
Acls: Add ShouldSync path status
7ea4b05 
If a path was already present at the beginning of the build, it does not need to be added to the store so its permissions may not be updated.
We add a check to compate future and current permissions and repair the paths if needed to synchronize the permission.
ylecornec and others added 14 commits December 14, 2023 17:13
@ylecornec
Acls: remove canAccess use_future argument
96cb115
@ylecornec
Acls: permission check when importing a folder with builtins.path
2820eb4 
If a folder was already imported to the store and we do not have permission to this store path, we may be able to edit the permissions if we have read access to all the files of this folder.
@ylecornec
Acls: Test importing a private folder
c1912d8
@balsoft
Don't account for trusted users in ensureAccess
9c75782
@balsoft
Make the 'should be synced' message debug-only
8ee4043
@balsoft
Fix perl bindings build
af84767
@ylecornec
Reactivate runtime closure check
f967eb6
@ylecornec
Acls test: fix for runtime closure checks
d167252
@ylecornec
Merge remote-tracking branch 'tweag/acls' into ylecornec/remove_curre…
53c8eb5 
…nt_future
@ylecornec
Acls: reactivate ensureAccess and move the call to setAccessStatus
8841d0d 
This way we only call ensureAccess in cases where the permissions are updated. In particular, we do not want to call ensureAccess if you depend on an already built derivation you could not build yourself, but want to use its public outputs.
@ylecornec
Acls: Fix tests after activating ensureAccess
9f63760
@ylecornec
Acls: add tests using flakes
045f1e8
@ylecornec
Acls: merge {add/remove}AllowedEntities current and future
e90e479
@ylecornec
Acls documentation: fix markdown files paths.
df135f2
@balsoft balsoft mentioned this pull request Jan 11, 2024
Open
8 tasks
@nixos-discourse
Copy link

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/tweag-nix-dev-update-54/39990/1

@nixos-discourse
Copy link

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/tweag-nix-dev-update-55/40996/1

@nixos-discourse
Copy link

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/secrets-in-nix-suck-and-how-to-fix-them/43822/5

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Ericson2314 Ericson2314 Awaiting requested review from Ericson2314 Ericson2314 will be requested when the pull request is marked ready for review Ericson2314 is a code owner

@fricklerhandwerk fricklerhandwerk Awaiting requested review from fricklerhandwerk fricklerhandwerk will be requested when the pull request is marked ready for review fricklerhandwerk is a code owner

@roberth roberth Awaiting requested review from roberth roberth will be requested when the pull request is marked ready for review roberth is a code owner

@edolstra edolstra Awaiting requested review from edolstra edolstra will be requested when the pull request is marked ready for review edolstra is a code owner

Assignees
No one assigned
Labels
documentation new-cli Relating to the "nix" command store Issues and pull requests concerning the Nix store with-tests Issues related to testing. PRs with tests have some priority
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@balsoft @nixos-discourse @ylecornec