From a9c875fc2e65e80324ce1e624abd2a765ae815f8 Mon Sep 17 00:00:00 2001 From: Graham Christensen Date: Thu, 16 Feb 2017 21:02:13 -0500 Subject: nixpkgs: allow packages to be marked insecure MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If a package's meta has `knownVulnerabilities`, like so: stdenv.mkDerivation { name = "foobar-1.2.3"; ... meta.knownVulnerabilities = [ "CVE-0000-00000: remote code execution" "CVE-0000-00001: local privilege escalation" ]; } and a user attempts to install the package, they will be greeted with a warning indicating that maybe they don't want to install it: error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate. Known issues: - CVE-0000-00000: remote code execution - CVE-0000-00001: local privilege escalation You can install it anyway by whitelisting this package, using the following methods: a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to `nixpkgs.config.permittedInsecurePackages` in the configuration.nix, like so: { nixpkgs.config.permittedInsecurePackages = [ "foobar-1.2.3" ]; } b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add ‘foobar-1.2.3’ to `permittedInsecurePackages` in ~/.config/nixpkgs/config.nix, like so: { permittedInsecurePackages = [ "foobar-1.2.3" ]; } Adding either of these configurations will permit this specific version to be installed. A third option also exists: NIXPKGS_ALLOW_INSECURE=1 nix-build ... though I specifically avoided having a global file-based toggle to disable this check. This way, users don't disable it once in order to get a single package, and then don't realize future packages are insecure. --- doc/configuration.xml | 216 ++++++++++++++++++++++++++++++++++++++++---------- 1 file changed, 173 insertions(+), 43 deletions(-) (limited to 'doc/configuration.xml') diff --git a/doc/configuration.xml b/doc/configuration.xml index 12e3b8ae851a..064c72a76301 100644 --- a/doc/configuration.xml +++ b/doc/configuration.xml @@ -4,83 +4,213 @@ Global configuration -Nix packages can be configured to allow or deny certain options. +Nix comes with certain defaults about what packages can and +cannot be installed, based on a package's metadata. By default, Nix +will prevent installation if any of the following criteria are +true: -To apply the configuration edit -~/.config/nixpkgs/config.nix and set it like + + The packages is thought to be broken, and has had + its meta.broken set to + true. + + The package's meta.license is set + to a license which is considered to be unfree. + + The package has known security vulnerabilities but + has not or can not be updated for some reason, and a list of issues + has been entered in to the package's + meta.knownVulnerabilities. + +Each of these criteria can be altering the nixpkgs +configuration. + +The nixpkgs configuration for a NixOS system is set in the +configuration.nix, as in the following example: + +{ + nixpkgs.config = { + allowUnfree = true; + }; +} + +However, this does not allow unfree software for individual users. +Their configurations are managed separately. + +A user's of nixpkgs configuration is stored in a user-specific +configuration file located at +~/.config/nixpkgs/config.nix. For example: { allowUnfree = true; } + -and will allow the Nix package manager to install unfree licensed packages. +
+ Installing broken packages -The configuration as listed also applies to NixOS under - set. - + There are two ways to try compiling a package which has been + marked as broken. - - Allow installing of packages that are distributed under - unfree license by setting allowUnfree = - true; or deny them by setting it to - false. + + + For allowing the build of a broken package once, you can use an + environment variable for a single invocation of the nix tools: - Same can be achieved by setting the environment variable: + $ export NIXPKGS_ALLOW_BROKEN=1 + - -$ export NIXPKGS_ALLOW_UNFREE=1 - + + For permanently allowing broken packages to be built, you may + add allowBroken = true; to your user's + configuration file, like this: + + +{ + allowBroken = true; +} + + +
+ +
+ Installing unfree packages - - + There are several ways to tweak how Nix handles a package + which has been marked as unfree. - - Whenever unfree packages are not allowed, single packages - can still be allowed by a predicate function that accepts package - as an argument and should return a boolean: + + + To temporarily allow all unfree packages, you can use an + environment variable for a single invocation of the nix tools: + $ export NIXPKGS_ALLOW_UNFREE=1 + + + + It is possible to permanently allow individual unfree packages, + while still blocking unfree packages by default using the + allowUnfreePredicate configuration + option in the user configuration file. + + This option is a function which accepts a package as a + parameter, and returns a boolean. The following example + configuration accepts a package and always returns false: -allowUnfreePredicate = (pkg: ...); +{ + allowUnfreePredicate = (pkg: false); +} + - Example to allow flash player and visual studio code only: + A more useful example, the following configuration allows + only allows flash player and visual studio code: -allowUnfreePredicate = with builtins; (pkg: elem (parseDrvName pkg.name).name [ "flashplayer" "vscode" ]); +{ + allowUnfreePredicate = (pkg: elem (builtins.parseDrvName pkg.name).name [ "flashplayer" "vscode" ]); +} + - - + + It is also possible to whitelist and blacklist licenses + that are specifically acceptable or not acceptable, using + whitelistedLicenses and + blacklistedLicenses, respectively. + - - Whenever unfree packages are not allowed, packages can still - be whitelisted by their license: + The following example configuration whitelists the + licenses amd and wtfpl: -whitelistedLicenses = with stdenv.lib.licenses; [ amd wtfpl ]; +{ + whitelistedLicenses = with stdenv.lib.licenses; [ amd wtfpl ]; +} - - + - - In addition to whitelisting licenses which are denied by the - allowUnfree setting, you can also explicitely - deny installation of packages which have a certain license: + The following example configuration blacklists the + gpl3 and agpl3 licenses: -blacklistedLicenses = with stdenv.lib.licenses; [ agpl3 gpl3 ]; +{ + blacklistedLicenses = with stdenv.lib.licenses; [ agpl3 gpl3 ]; +} - - + + + + + A complete list of licenses can be found in the file + lib/licenses.nix of the nixpkgs tree. +
- -A complete list of licenses can be found in the file -lib/licenses.nix of the nix package tree. +
+ + Installing insecure packages + + There are several ways to tweak how Nix handles a package + which has been marked as unfree. + + + + To temporarily allow all insecure packages, you can use an + environment variable for a single invocation of the nix tools: + + $ export NIXPKGS_ALLOW_INSECURE=1 + + + + It is possible to permanently allow individual insecure + packages, while still blocking other insecure packages by + default using the permittedInsecurePackages + configuration option in the user configuration file. + + The following example configuration permits the + installation of the hypothetically insecure package + hello, version 1.2.3: + +{ + permittedInsecurePackages = [ + "hello-1.2.3" + ]; +} + + + + + + It is also possible to create a custom policy around which + insecure packages to allow and deny, by overriding the + allowInsecurePredicate configuration + option. + + The allowInsecurePredicate option is a + function which accepts a package and returns a boolean, much + like allowUnfreePredicate. + + The following configuration example only allows insecure + packages with very short names: + + +{ + allowInsecurePredicate = (pkg: (builtins.stringLength (builtins.parseDrvName pkg.name).name) <= 5); +} + + + + Note that permittedInsecurePackages is + only checked if allowInsecurePredicate is not + specified. + + +
-- cgit 1.4.1