Skip to content

Comments

Add granular access control for nix store#9287

Draft
balsoft wants to merge 61 commits intoNixOS:masterfrom
tweag:acls
Draft

Add granular access control for nix store#9287
balsoft wants to merge 61 commits intoNixOS:masterfrom
tweag:acls

Conversation

@balsoft
Copy link
Member

@balsoft balsoft commented Nov 3, 2023

Motivation

Add functionality to manage POSIX ACLs (access control lists) on Nix store paths (including .drv files) and derivation build logs.

In particular:

  • Adds a nix store access command with the following subcommands:
    • info
    • protect / unprotect
    • grant / revoke
  • Adds a --protect flag to nix build and nix store add-*
  • Adds __permissions argument to builtins.derivation, and permissions argument to builtins.path, which allow to control the permissions on corresponding store objects.

For now, all of these are hidden behind --experimental-flags acls

Context

NixOS/rfcs#143

Implementation strategy

  • Add a C++ interface for POSIX ACLs
  • Add a Nix data structure to describe ACLs of a store path (AccessStatus), which can be
    • protected (if NOT protected, readable and executable by everyone; else readable and executable only by entities)
    • entities (list of entities (users and groups) that have access to a path if it is protected)
  • Implement setting and getting AccessStatus on a local store and remote daemon store
    • If the path/derivation does not exist yet, apply the AccessStatus as soon as the path appears
  • Add CLI subcommands and language primitives to manage AccessStatus-es

Priorities

Add 👍 to pull requests you find important.

@github-actions github-actions bot added documentation new-cli Relating to the "nix" command store Issues and pull requests concerning the Nix store labels Nov 3, 2023
@infinisil infinisil mentioned this pull request Nov 7, 2023
Draft
ylecornec and others added 11 commits November 14, 2023 10:57
@ylecornec @balsoft
Add tests/acls.sh
bd56e3e 
This commit also enables acls in tests/init.sh which is common for all the tests. Maybe there is a way to only enable it for acls tests.

Co-Authored-By: Alexander Bantyev <[email protected]>
@ylecornec
acls grant/revoke: Error if group or user does not exists
db3a522 
The User (resp Group) constructor will check the return value of getpwnam (resp getgrnam) and fail with an error message in case of error.
@ylecornec
Acls test: permission of dependency.
aba3181
@ylecornec
revokeBuildUserAccess: only revoke permissions added by grantBuildUse…
8dbea38 
…rAccess
@ylecornec
Acls: add test that revokes the permission of a runtime dependency.
14e474c
@ylecornec
Acls: Refactor integration tests
afd828b 
- comment out failing tests
- split the test script in multiple strings
- add a test that should fail if a permission is missing from a direct runtime dependency
@ylecornec
Acls: disable non integration tests for now
5d97559 
These require enabling `acls` for all the tests (even non acls ones). Which fails at the moment (but should not).
@balsoft
Add json() to AccessStatus
65fe86f
@balsoft
Add protectByDefault setting
db20d22
@balsoft
Add runtime closure invariant
1102fdd
@balsoft
Run acls.sh test properly
6293167
@github-actions github-actions bot added the with-tests Issues related to testing. PRs with tests have some priority label Dec 5, 2023
@balsoft balsoft force-pushed the acls branch 3 times, most recently from 64766bd to 2e468f2 Compare December 5, 2023 10:04
@ylecornec
Acls: Add tests where a public output depend on a private one
9d6c011
@ylecornec
Acls: explicitely access future or current permissions
1ed4965 
Before this, the getAccessStatus/setAccessStatus functions were testing the presence of the path to decide whether to access the current or future permissions. This can be incorrect if the path is already present at the start of the build. So we now decide at call site which set of permission to use.
@ylecornec
Acls: remove some permission adding code which may not be needed anymore
f9e2c4b
@ylecornec
Acls: Also add future permission to paths of StoreObjectDerivationOutput
0c625b0
@ylecornec
Acls: Add ShouldSync path status
7ea4b05 
If a path was already present at the beginning of the build, it does not need to be added to the store so its permissions may not be updated.
We add a check to compate future and current permissions and repair the paths if needed to synchronize the permission.
ylecornec and others added 14 commits December 14, 2023 17:13
@ylecornec
Acls: remove canAccess use_future argument
96cb115
@ylecornec
Acls: permission check when importing a folder with builtins.path
2820eb4 
If a folder was already imported to the store and we do not have permission to this store path, we may be able to edit the permissions if we have read access to all the files of this folder.
@ylecornec
Acls: Test importing a private folder
c1912d8
@balsoft
Don't account for trusted users in ensureAccess
9c75782
@balsoft
Make the 'should be synced' message debug-only
8ee4043
@balsoft
Fix perl bindings build
af84767
@ylecornec
Reactivate runtime closure check
f967eb6
@ylecornec
Acls test: fix for runtime closure checks
d167252
@ylecornec
Merge remote-tracking branch 'tweag/acls' into ylecornec/remove_curre…
53c8eb5 
…nt_future
@ylecornec
Acls: reactivate ensureAccess and move the call to setAccessStatus
8841d0d 
This way we only call ensureAccess in cases where the permissions are updated. In particular, we do not want to call ensureAccess if you depend on an already built derivation you could not build yourself, but want to use its public outputs.
@ylecornec
Acls: Fix tests after activating ensureAccess
9f63760
@ylecornec
Acls: add tests using flakes
045f1e8
@ylecornec
Acls: merge {add/remove}AllowedEntities current and future
e90e479
@ylecornec
Acls documentation: fix markdown files paths.
df135f2
@balsoft balsoft mentioned this pull request Jan 11, 2024
Open
8 tasks
@nixos-discourse
Copy link

nixos-discourse commented Feb 19, 2024

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/tweag-nix-dev-update-54/39990/1

@nixos-discourse
Copy link

nixos-discourse commented Mar 8, 2024

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/tweag-nix-dev-update-55/40996/1

@nixos-discourse
Copy link

nixos-discourse commented Apr 21, 2024

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/secrets-in-nix-suck-and-how-to-fix-them/43822/5

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Ericson2314 Ericson2314 Awaiting requested review from Ericson2314 Ericson2314 will be requested when the pull request is marked ready for review Ericson2314 is a code owner

@edolstra edolstra Awaiting requested review from edolstra edolstra will be requested when the pull request is marked ready for review edolstra is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

documentation new-cli Relating to the "nix" command store Issues and pull requests concerning the Nix store with-tests Issues related to testing. PRs with tests have some priority

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@balsoft @nixos-discourse @ylecornec