Hi Marc, I though multiple times of this issues. I see an other solution which implies the implementation of the following rules:
- Restricted file/data should not be copied into the store and should cause the failure of the build process. - The permission of a derivation correspond to the intersection of all dependencies permissions. Thus you have no risk at copying data which may compromise your system. To build your derivation you need a nix store with restricted access which can inherit derivations from the primary nix store without copying stuff. Currently you can use NIX_OTHER_STORES, but this copies data. restricted nix/store: /nix/users/root/store/ On Fri, Dec 25, 2009 at 08:41, Marc Weber <[email protected]> wrote: > It is convinient to define passwords in /etc/nixos/configuration.nix. > However why shouldn't we put passwords there? Because they most porbably > can be found in some .drv or /nix/store/* files which are world > readable, correct? > > This applies to the extraUsers as well: > usersFile = pkgs.writeText "users" (concatStrings (map serializedUser > users)); > > How to remedy this problem? > > I'd fix this by adding a new primop writeFileToPath destination text. > > then instead of pkgs.writeText you could use > > writeFileToPath /root/extraUsers.txt "[ .. file contents .. ]" > > Then you have to care about /etc/nixos/configuration.nix that this isn't > word readable. The nix process run by nixos-rebuild is run by root, > correct? So nobody can access its memory. It might be the case that nix > writes the file multiple times which wouldn't matter. > > Actually I don't care that much about extraUsers.. I care about creating > database accounts automatically. This can be done similar to > extraUsers.. However not every user who can login is allowed to access > all databases. > > So what do you think about builtins.writeFileToPath > "file-path-no-store-location" "contents" ? > > Is there another way to keep passwords top secret *and* specify them in > one configuration file (/etc/nixos/configuration.nix) which can be > implemented even faster than this primop ? > > Marc Weber > _______________________________________________ > nix-dev mailing list > [email protected] > https://mail.cs.uu.nl/mailman/listinfo/nix-dev > -- Nicolas Pierron http://www.linkedin.com/in/nicolasbpierron - http://nbp.name/ Lars Rasmussen (Google IO 2009) - Icland is an icland. _______________________________________________ nix-dev mailing list [email protected] https://mail.cs.uu.nl/mailman/listinfo/nix-dev
