2015-01-24 11:40:40 -08:00
|
|
|
<chapter xmlns="http://docbook.org/ns/docbook"
|
2015-12-07 11:41:18 -08:00
|
|
|
xmlns:xlink="http://www.w3.org/1999/xlink"
|
|
|
|
xml:id="chap-packageconfig">
|
2015-01-24 11:40:40 -08:00
|
|
|
|
2017-02-01 07:03:42 -08:00
|
|
|
<title>Global configuration</title>
|
2015-01-24 11:40:40 -08:00
|
|
|
|
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-16 18:02:13 -08:00
|
|
|
<para>Nix comes with certain defaults about what packages can and
|
|
|
|
cannot be installed, based on a package's metadata. By default, Nix
|
|
|
|
will prevent installation if any of the following criteria are
|
|
|
|
true:</para>
|
2015-12-07 11:41:18 -08:00
|
|
|
|
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-16 18:02:13 -08:00
|
|
|
<itemizedlist>
|
2017-02-26 01:31:55 -08:00
|
|
|
<listitem><para>The package is thought to be broken, and has had
|
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-16 18:02:13 -08:00
|
|
|
its <literal>meta.broken</literal> set to
|
|
|
|
<literal>true</literal>.</para></listitem>
|
|
|
|
|
|
|
|
<listitem><para>The package's <literal>meta.license</literal> is set
|
|
|
|
to a license which is considered to be unfree.</para></listitem>
|
|
|
|
|
|
|
|
<listitem><para>The package has known security vulnerabilities but
|
|
|
|
has not or can not be updated for some reason, and a list of issues
|
|
|
|
has been entered in to the package's
|
|
|
|
<literal>meta.knownVulnerabilities</literal>.</para></listitem>
|
|
|
|
</itemizedlist>
|
2015-01-25 12:26:05 -08:00
|
|
|
|
2017-02-26 01:31:55 -08:00
|
|
|
<para>Note that all this is checked during evaluation already,
|
|
|
|
and the check includes any package that is evaluated.
|
|
|
|
In particular, all build-time dependencies are checked.
|
|
|
|
<literal>nix-env -qa</literal> will (attempt to) hide any packages
|
|
|
|
that would be refused.
|
|
|
|
</para>
|
|
|
|
|
|
|
|
<para>Each of these criteria can be altered in the nixpkgs
|
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-16 18:02:13 -08:00
|
|
|
configuration.</para>
|
|
|
|
|
|
|
|
<para>The nixpkgs configuration for a NixOS system is set in the
|
|
|
|
<literal>configuration.nix</literal>, as in the following example:
|
|
|
|
<programlisting>
|
|
|
|
{
|
|
|
|
nixpkgs.config = {
|
|
|
|
allowUnfree = true;
|
|
|
|
};
|
|
|
|
}
|
|
|
|
</programlisting>
|
|
|
|
However, this does not allow unfree software for individual users.
|
|
|
|
Their configurations are managed separately.</para>
|
|
|
|
|
|
|
|
<para>A user's of nixpkgs configuration is stored in a user-specific
|
|
|
|
configuration file located at
|
|
|
|
<filename>~/.config/nixpkgs/config.nix</filename>. For example:
|
2015-12-07 11:41:18 -08:00
|
|
|
<programlisting>
|
|
|
|
{
|
2015-02-15 09:29:52 -08:00
|
|
|
allowUnfree = true;
|
2015-12-07 11:41:18 -08:00
|
|
|
}
|
|
|
|
</programlisting>
|
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-16 18:02:13 -08:00
|
|
|
</para>
|
2015-12-07 11:41:18 -08:00
|
|
|
|
2017-11-01 14:32:52 -07:00
|
|
|
<para>Note that we are not able to test or build unfree software on Hydra
|
|
|
|
due to policy. Most unfree licenses prohibit us from either executing or
|
|
|
|
distributing the software.</para>
|
|
|
|
|
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-16 18:02:13 -08:00
|
|
|
<section xml:id="sec-allow-broken">
|
|
|
|
<title>Installing broken packages</title>
|
2015-12-07 11:41:18 -08:00
|
|
|
|
|
|
|
|
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-16 18:02:13 -08:00
|
|
|
<para>There are two ways to try compiling a package which has been
|
|
|
|
marked as broken.</para>
|
2015-12-07 11:41:18 -08:00
|
|
|
|
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-16 18:02:13 -08:00
|
|
|
<itemizedlist>
|
|
|
|
<listitem><para>
|
|
|
|
For allowing the build of a broken package once, you can use an
|
|
|
|
environment variable for a single invocation of the nix tools:
|
2015-12-07 11:41:18 -08:00
|
|
|
|
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-16 18:02:13 -08:00
|
|
|
<programlisting>$ export NIXPKGS_ALLOW_BROKEN=1</programlisting>
|
|
|
|
</para></listitem>
|
2015-12-07 11:41:18 -08:00
|
|
|
|
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-16 18:02:13 -08:00
|
|
|
<listitem><para>
|
|
|
|
For permanently allowing broken packages to be built, you may
|
|
|
|
add <literal>allowBroken = true;</literal> to your user's
|
|
|
|
configuration file, like this:
|
|
|
|
|
2017-02-26 01:31:55 -08:00
|
|
|
<programlisting>
|
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-16 18:02:13 -08:00
|
|
|
{
|
|
|
|
allowBroken = true;
|
2017-02-26 01:31:55 -08:00
|
|
|
}
|
|
|
|
</programlisting>
|
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-16 18:02:13 -08:00
|
|
|
</para></listitem>
|
|
|
|
</itemizedlist>
|
|
|
|
</section>
|
|
|
|
|
|
|
|
<section xml:id="sec-allow-unfree">
|
|
|
|
<title>Installing unfree packages</title>
|
2015-12-07 11:41:18 -08:00
|
|
|
|
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-16 18:02:13 -08:00
|
|
|
<para>There are several ways to tweak how Nix handles a package
|
|
|
|
which has been marked as unfree.</para>
|
2015-12-07 11:41:18 -08:00
|
|
|
|
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-16 18:02:13 -08:00
|
|
|
<itemizedlist>
|
|
|
|
<listitem><para>
|
|
|
|
To temporarily allow all unfree packages, you can use an
|
|
|
|
environment variable for a single invocation of the nix tools:
|
2015-12-07 11:41:18 -08:00
|
|
|
|
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-16 18:02:13 -08:00
|
|
|
<programlisting>$ export NIXPKGS_ALLOW_UNFREE=1</programlisting>
|
|
|
|
</para></listitem>
|
|
|
|
|
|
|
|
<listitem><para>
|
|
|
|
It is possible to permanently allow individual unfree packages,
|
|
|
|
while still blocking unfree packages by default using the
|
|
|
|
<literal>allowUnfreePredicate</literal> configuration
|
|
|
|
option in the user configuration file.</para>
|
|
|
|
|
|
|
|
<para>This option is a function which accepts a package as a
|
|
|
|
parameter, and returns a boolean. The following example
|
|
|
|
configuration accepts a package and always returns false:
|
2015-12-07 11:41:18 -08:00
|
|
|
<programlisting>
|
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-16 18:02:13 -08:00
|
|
|
{
|
|
|
|
allowUnfreePredicate = (pkg: false);
|
|
|
|
}
|
2015-12-07 11:41:18 -08:00
|
|
|
</programlisting>
|
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-16 18:02:13 -08:00
|
|
|
</para>
|
2015-12-07 11:41:18 -08:00
|
|
|
|
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-16 18:02:13 -08:00
|
|
|
<para>A more useful example, the following configuration allows
|
|
|
|
only allows flash player and visual studio code:
|
2015-12-07 11:41:18 -08:00
|
|
|
|
|
|
|
<programlisting>
|
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-16 18:02:13 -08:00
|
|
|
{
|
|
|
|
allowUnfreePredicate = (pkg: elem (builtins.parseDrvName pkg.name).name [ "flashplayer" "vscode" ]);
|
|
|
|
}
|
2015-12-07 11:41:18 -08:00
|
|
|
</programlisting>
|
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-16 18:02:13 -08:00
|
|
|
</para></listitem>
|
2015-01-25 12:26:05 -08:00
|
|
|
|
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-16 18:02:13 -08:00
|
|
|
<listitem>
|
|
|
|
<para>It is also possible to whitelist and blacklist licenses
|
|
|
|
that are specifically acceptable or not acceptable, using
|
|
|
|
<literal>whitelistedLicenses</literal> and
|
|
|
|
<literal>blacklistedLicenses</literal>, respectively.
|
|
|
|
</para>
|
2015-12-07 11:41:18 -08:00
|
|
|
|
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-16 18:02:13 -08:00
|
|
|
<para>The following example configuration whitelists the
|
|
|
|
licenses <literal>amd</literal> and <literal>wtfpl</literal>:
|
2015-01-24 11:40:40 -08:00
|
|
|
|
2015-12-07 11:41:18 -08:00
|
|
|
<programlisting>
|
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-16 18:02:13 -08:00
|
|
|
{
|
|
|
|
whitelistedLicenses = with stdenv.lib.licenses; [ amd wtfpl ];
|
|
|
|
}
|
2015-12-07 11:41:18 -08:00
|
|
|
</programlisting>
|
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-16 18:02:13 -08:00
|
|
|
</para>
|
2015-12-07 11:41:18 -08:00
|
|
|
|
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-16 18:02:13 -08:00
|
|
|
<para>The following example configuration blacklists the
|
|
|
|
<literal>gpl3</literal> and <literal>agpl3</literal> licenses:
|
2015-12-07 11:41:18 -08:00
|
|
|
|
|
|
|
<programlisting>
|
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-16 18:02:13 -08:00
|
|
|
{
|
|
|
|
blacklistedLicenses = with stdenv.lib.licenses; [ agpl3 gpl3 ];
|
|
|
|
}
|
2015-12-07 11:41:18 -08:00
|
|
|
</programlisting>
|
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-16 18:02:13 -08:00
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</itemizedlist>
|
|
|
|
|
|
|
|
<para>A complete list of licenses can be found in the file
|
|
|
|
<filename>lib/licenses.nix</filename> of the nixpkgs tree.</para>
|
|
|
|
</section>
|
2015-12-07 11:41:18 -08:00
|
|
|
|
|
|
|
|
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-16 18:02:13 -08:00
|
|
|
<section xml:id="sec-allow-insecure">
|
|
|
|
<title>
|
|
|
|
Installing insecure packages
|
|
|
|
</title>
|
2015-12-07 11:41:18 -08:00
|
|
|
|
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-16 18:02:13 -08:00
|
|
|
<para>There are several ways to tweak how Nix handles a package
|
2017-02-26 01:31:55 -08:00
|
|
|
which has been marked as insecure.</para>
|
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-16 18:02:13 -08:00
|
|
|
|
|
|
|
<itemizedlist>
|
|
|
|
<listitem><para>
|
|
|
|
To temporarily allow all insecure packages, you can use an
|
|
|
|
environment variable for a single invocation of the nix tools:
|
|
|
|
|
|
|
|
<programlisting>$ export NIXPKGS_ALLOW_INSECURE=1</programlisting>
|
|
|
|
</para></listitem>
|
|
|
|
|
|
|
|
<listitem><para>
|
|
|
|
It is possible to permanently allow individual insecure
|
|
|
|
packages, while still blocking other insecure packages by
|
|
|
|
default using the <literal>permittedInsecurePackages</literal>
|
|
|
|
configuration option in the user configuration file.</para>
|
|
|
|
|
|
|
|
<para>The following example configuration permits the
|
|
|
|
installation of the hypothetically insecure package
|
|
|
|
<literal>hello</literal>, version <literal>1.2.3</literal>:
|
|
|
|
<programlisting>
|
|
|
|
{
|
|
|
|
permittedInsecurePackages = [
|
|
|
|
"hello-1.2.3"
|
|
|
|
];
|
|
|
|
}
|
|
|
|
</programlisting>
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem><para>
|
|
|
|
It is also possible to create a custom policy around which
|
|
|
|
insecure packages to allow and deny, by overriding the
|
|
|
|
<literal>allowInsecurePredicate</literal> configuration
|
|
|
|
option.</para>
|
|
|
|
|
|
|
|
<para>The <literal>allowInsecurePredicate</literal> option is a
|
|
|
|
function which accepts a package and returns a boolean, much
|
|
|
|
like <literal>allowUnfreePredicate</literal>.</para>
|
|
|
|
|
|
|
|
<para>The following configuration example only allows insecure
|
|
|
|
packages with very short names:
|
|
|
|
|
|
|
|
<programlisting>
|
|
|
|
{
|
|
|
|
allowInsecurePredicate = (pkg: (builtins.stringLength (builtins.parseDrvName pkg.name).name) <= 5);
|
|
|
|
}
|
|
|
|
</programlisting>
|
|
|
|
</para>
|
|
|
|
|
|
|
|
<para>Note that <literal>permittedInsecurePackages</literal> is
|
|
|
|
only checked if <literal>allowInsecurePredicate</literal> is not
|
|
|
|
specified.
|
|
|
|
</para></listitem>
|
|
|
|
</itemizedlist>
|
|
|
|
</section>
|
2015-12-07 11:41:18 -08:00
|
|
|
|
|
|
|
<!--============================================================-->
|
2015-04-20 08:54:39 -07:00
|
|
|
|
2015-05-31 09:41:34 -07:00
|
|
|
<section xml:id="sec-modify-via-packageOverrides"><title>Modify
|
|
|
|
packages via <literal>packageOverrides</literal></title>
|
2015-04-20 08:54:39 -07:00
|
|
|
|
2015-12-07 11:41:18 -08:00
|
|
|
<para>You can define a function called
|
|
|
|
<varname>packageOverrides</varname> in your local
|
2017-06-11 13:12:59 -07:00
|
|
|
<filename>~/.config/nixpkgs/config.nix</filename> to override nix packages. It
|
2015-12-07 11:41:18 -08:00
|
|
|
must be a function that takes pkgs as an argument and return modified
|
|
|
|
set of packages.
|
2015-04-20 14:09:45 -07:00
|
|
|
|
2015-12-07 11:41:18 -08:00
|
|
|
<programlisting>
|
|
|
|
{
|
2015-04-20 14:09:45 -07:00
|
|
|
packageOverrides = pkgs: rec {
|
|
|
|
foo = pkgs.foo.override { ... };
|
|
|
|
};
|
2015-12-07 11:41:18 -08:00
|
|
|
}
|
|
|
|
</programlisting>
|
|
|
|
|
2015-04-20 08:54:39 -07:00
|
|
|
</para>
|
2015-12-07 11:41:18 -08:00
|
|
|
|
2015-04-20 08:54:39 -07:00
|
|
|
</section>
|
2015-01-25 05:30:27 -08:00
|
|
|
|
2017-05-20 20:25:05 -07:00
|
|
|
<section xml:id="sec-declarative-package-management">
|
|
|
|
<title>Declarative Package Management</title>
|
|
|
|
|
|
|
|
<section xml:id="sec-building-environment">
|
|
|
|
<title>Build an environment</title>
|
|
|
|
|
|
|
|
<para>
|
|
|
|
Using <literal>packageOverrides</literal>, it is possible to manage
|
|
|
|
packages declaratively. This means that we can list all of our desired
|
|
|
|
packages within a declarative Nix expression. For example, to have
|
|
|
|
<literal>aspell</literal>, <literal>bc</literal>,
|
|
|
|
<literal>ffmpeg</literal>, <literal>coreutils</literal>,
|
|
|
|
<literal>gdb</literal>, <literal>nixUnstable</literal>,
|
|
|
|
<literal>emscripten</literal>, <literal>jq</literal>,
|
|
|
|
<literal>nox</literal>, and <literal>silver-searcher</literal>, we could
|
|
|
|
use the following in <filename>~/.config/nixpkgs/config.nix</filename>:
|
|
|
|
</para>
|
|
|
|
|
|
|
|
<screen>
|
|
|
|
{
|
|
|
|
packageOverrides = pkgs: with pkgs; {
|
|
|
|
myPackages = pkgs.buildEnv {
|
|
|
|
name = "my-packages";
|
|
|
|
paths = [ aspell bc coreutils gdb ffmpeg nixUnstable emscripten jq nox silver-searcher ];
|
|
|
|
};
|
|
|
|
};
|
|
|
|
}
|
|
|
|
</screen>
|
|
|
|
|
|
|
|
<para>
|
|
|
|
To install it into our environment, you can just run <literal>nix-env -iA
|
|
|
|
nixpkgs.myPackages</literal>. If you want to load the packages to be built
|
|
|
|
from a working copy of <literal>nixpkgs</literal> you just run
|
|
|
|
<literal>nix-env -f. -iA myPackages</literal>. To explore what's been
|
|
|
|
installed, just look through <filename>~/.nix-profile/</filename>. You can
|
|
|
|
see that a lot of stuff has been installed. Some of this stuff is useful
|
|
|
|
some of it isn't. Let's tell Nixpkgs to only link the stuff that we want:
|
|
|
|
</para>
|
|
|
|
|
|
|
|
<screen>
|
|
|
|
{
|
|
|
|
packageOverrides = pkgs: with pkgs; {
|
|
|
|
myPackages = pkgs.buildEnv {
|
|
|
|
name = "my-packages";
|
|
|
|
paths = [ aspell bc coreutils gdb ffmpeg nixUnstable emscripten jq nox silver-searcher ];
|
|
|
|
pathsToLink = [ "/share" "/bin" ];
|
|
|
|
};
|
|
|
|
};
|
|
|
|
}
|
|
|
|
</screen>
|
|
|
|
|
|
|
|
<para>
|
|
|
|
<literal>pathsToLink</literal> tells Nixpkgs to only link the paths listed
|
|
|
|
which gets rid of the extra stuff in the profile.
|
|
|
|
<filename>/bin</filename> and <filename>/share</filename> are good
|
|
|
|
defaults for a user environment, getting rid of the clutter. If you are
|
|
|
|
running on Nix on MacOS, you may want to add another path as well,
|
|
|
|
<filename>/Applications</filename>, that makes GUI apps available.
|
|
|
|
</para>
|
|
|
|
|
|
|
|
</section>
|
|
|
|
|
|
|
|
<section xml:id="sec-getting-documentation">
|
|
|
|
<title>Getting documentation</title>
|
|
|
|
|
|
|
|
<para>
|
|
|
|
After building that new environment, look through
|
|
|
|
<filename>~/.nix-profile</filename> to make sure everything is there that
|
|
|
|
we wanted. Discerning readers will note that some files are missing. Look
|
|
|
|
inside <filename>~/.nix-profile/share/man/man1/</filename> to verify this.
|
|
|
|
There are no man pages for any of the Nix tools! This is because some
|
|
|
|
packages like Nix have multiple outputs for things like documentation (see
|
|
|
|
section 4). Let's make Nix install those as well.
|
|
|
|
</para>
|
|
|
|
|
|
|
|
<screen>
|
|
|
|
{
|
|
|
|
packageOverrides = pkgs: with pkgs; {
|
|
|
|
myPackages = pkgs.buildEnv {
|
|
|
|
name = "my-packages";
|
|
|
|
paths = [ aspell bc coreutils ffmpeg nixUnstable emscripten jq nox silver-searcher ];
|
|
|
|
pathsToLink = [ "/share/man" "/share/doc" /bin" ];
|
|
|
|
extraOutputsToInstall = [ "man" "doc" ];
|
|
|
|
};
|
|
|
|
};
|
|
|
|
}
|
|
|
|
</screen>
|
|
|
|
|
|
|
|
<para>
|
|
|
|
This provides us with some useful documentation for using our packages.
|
|
|
|
However, if we actually want those manpages to be detected by man, we need
|
|
|
|
to set up our environment. This can also be managed within Nix
|
|
|
|
expressions.
|
|
|
|
</para>
|
|
|
|
|
|
|
|
<screen>
|
|
|
|
{
|
|
|
|
packageOverrides = pkgs: with pkgs; rec {
|
|
|
|
myProfile = writeText "my-profile" ''
|
|
|
|
export PATH=$HOME/.nix-profile/bin:/nix/var/nix/profiles/default/bin:/sbin:/bin:/usr/sbin:/usr/bin
|
|
|
|
export MANPATH=$HOME/.nix-profile/share/man:/nix/var/nix/profiles/default/share/man:/usr/share/man
|
|
|
|
'';
|
|
|
|
myPackages = pkgs.buildEnv {
|
|
|
|
name = "my-packages";
|
|
|
|
paths = [
|
|
|
|
(runCommand "profile" {} ''
|
|
|
|
mkdir -p $out/etc/profile.d
|
|
|
|
cp ${myProfile} $out/etc/profile.d/my-profile.sh
|
|
|
|
'')
|
|
|
|
aspell
|
|
|
|
bc
|
|
|
|
coreutils
|
|
|
|
ffmpeg
|
|
|
|
man
|
|
|
|
nixUnstable
|
|
|
|
emscripten
|
|
|
|
jq
|
|
|
|
nox
|
|
|
|
silver-searcher
|
|
|
|
];
|
|
|
|
pathsToLink = [ "/share/man" "/share/doc" /bin" "/etc" ];
|
|
|
|
extraOutputsToInstall = [ "man" "doc" ];
|
|
|
|
};
|
|
|
|
};
|
|
|
|
}
|
|
|
|
</screen>
|
|
|
|
|
|
|
|
<para>
|
|
|
|
For this to work fully, you must also have this script sourced when you
|
|
|
|
are logged in. Try adding something like this to your
|
|
|
|
<filename>~/.profile</filename> file:
|
|
|
|
</para>
|
|
|
|
|
|
|
|
<screen>
|
|
|
|
#!/bin/sh
|
|
|
|
if [ -d $HOME/.nix-profile/etc/profile.d ]; then
|
|
|
|
for i in $HOME/.nix-profile/etc/profile.d/*.sh; do
|
|
|
|
if [ -r $i ]; then
|
|
|
|
. $i
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
fi
|
|
|
|
</screen>
|
|
|
|
|
|
|
|
<para>
|
|
|
|
Now just run <literal>source $HOME/.profile</literal> and you can starting
|
|
|
|
loading man pages from your environent.
|
|
|
|
</para>
|
|
|
|
|
|
|
|
</section>
|
|
|
|
|
|
|
|
<section xml:id="sec-gnu-info-setup">
|
|
|
|
<title>GNU info setup</title>
|
|
|
|
|
|
|
|
<para>
|
|
|
|
Configuring GNU info is a little bit trickier than man pages. To work
|
|
|
|
correctly, info needs a database to be generated. This can be done with
|
|
|
|
some small modifications to our environment scripts.
|
|
|
|
</para>
|
|
|
|
|
|
|
|
<screen>
|
|
|
|
{
|
|
|
|
packageOverrides = pkgs: with pkgs; rec {
|
|
|
|
myProfile = writeText "my-profile" ''
|
|
|
|
export PATH=$HOME/.nix-profile/bin:/nix/var/nix/profiles/default/bin:/sbin:/bin:/usr/sbin:/usr/bin
|
|
|
|
export MANPATH=$HOME/.nix-profile/share/man:/nix/var/nix/profiles/default/share/man:/usr/share/man
|
|
|
|
export INFOPATH=$HOME/.nix-profile/share/info:/nix/var/nix/profiles/default/share/info:/usr/share/info
|
|
|
|
'';
|
|
|
|
myPackages = pkgs.buildEnv {
|
|
|
|
name = "my-packages";
|
|
|
|
paths = [
|
|
|
|
(runCommand "profile" {} ''
|
|
|
|
mkdir -p $out/etc/profile.d
|
|
|
|
cp ${myProfile} $out/etc/profile.d/my-profile.sh
|
|
|
|
'')
|
|
|
|
aspell
|
|
|
|
bc
|
|
|
|
coreutils
|
|
|
|
ffmpeg
|
|
|
|
man
|
|
|
|
nixUnstable
|
|
|
|
emscripten
|
|
|
|
jq
|
|
|
|
nox
|
|
|
|
silver-searcher
|
|
|
|
texinfoInteractive
|
|
|
|
];
|
|
|
|
pathsToLink = [ "/share/man" "/share/doc" "/share/info" "/bin" "/etc" ];
|
|
|
|
extraOutputsToInstall = [ "man" "doc" "info" ];
|
|
|
|
postBuild = ''
|
|
|
|
if [ -x $out/bin/install-info -a -w $out/share/info ]; then
|
|
|
|
shopt -s nullglob
|
|
|
|
for i in $out/share/info/*.info $out/share/info/*.info.gz; do
|
|
|
|
$out/bin/install-info $i $out/share/info/dir
|
|
|
|
done
|
|
|
|
fi
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
};
|
|
|
|
}
|
|
|
|
</screen>
|
|
|
|
|
|
|
|
<para>
|
|
|
|
<literal>postBuild</literal> tells Nixpkgs to run a command after building
|
|
|
|
the environment. In this case, <literal>install-info</literal> adds the
|
|
|
|
installed info pages to <literal>dir</literal> which is GNU info's default
|
|
|
|
root node. Note that <literal>texinfoInteractive</literal> is added to the
|
|
|
|
environment to give the <literal>install-info</literal> command.
|
|
|
|
</para>
|
|
|
|
|
|
|
|
</section>
|
|
|
|
|
|
|
|
</section>
|
2015-12-07 11:41:18 -08:00
|
|
|
|
2015-04-20 08:54:39 -07:00
|
|
|
</chapter>
|