Michael Raskin wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hello. > > Currently, /nix/store entries have the "write permission" bit removed > after a successful build. This protects them from some writes. But > programs that have to be run as root may just assume that some file in > $PREFIX/share is writable and write there - it will work. > > Some filesystems (ext2-ext4 included) support "file attributes" > (notably immutability). As far as I know, the only way to write to a > file with "i" file attribute set is to call the ioctl to remove this > flag. While writing inside $PREFIX is often done in good faith, not many > programs need to do or do anything with file attributes. > > Is it a good idea to (optionally) run "chattr -R +i $out" after > successful builds and "chattr -R -i $path" when garbage collecting? I agree but first we should check store integrity on some real computer to find out which files are overwritten and realise why they're overwritten (AFAIR, something wrong with $linux/).
_______________________________________________ nix-dev mailing list [email protected] https://mail.cs.uu.nl/mailman/listinfo/nix-dev
