I agree, design is questionable, bu I keep automatic tests together with system being developed. Tests should know the original password so I store it as plain Nix string. But my main question relates to the fact that `import' can read the calculated path from /nix/store and `builtins.readFile' can not. Is it a bug or a feature? Maybe import also should block such attempts and I've just found an exploit?
2014-07-11 12:04 GMT+04:00 Luca Bruno <[email protected]>: > On 11/07/2014 09:46, Sergey Mironov wrote: >> Hi. I need to do non-trivial string calculations (encrypt the password >> with openssl) which AFAIK can't be written in Nix at the moment. >> That's why I think about Nix `eval` equivalent. I wonder if it goes >> against Nix concepts or not? My implementation looks like the >> following: >> >> encryptPassword = salt: pass : let >> p = runCommand "encryptPassword" {} '' >> printf '"%s"\n' `${openssl}/bin/openssl passwd -1 -salt ${salt} >> ${pass}` > $out >> ''; >> in >> import p; # <=== (1) >> >> It works but note the `import' expression. I tried builtins.readFile >> instead of it in previous attempt but failed: Nix issued [error: >> string `... (1)' cannot refer to other paths] error. What is the >> reason of such a difference between readFile and import? > readFile is plain reading the contents of the file. import parses the > file as a nix expression. > However putting plain passwords in nix configurations is not a good > thing. It's better if you write the password already encrypted in a > file, and read it with readFile. > > Best regards > _______________________________________________ > nix-dev mailing list > [email protected] > http://lists.science.uu.nl/mailman/listinfo/nix-dev _______________________________________________ nix-dev mailing list [email protected] http://lists.science.uu.nl/mailman/listinfo/nix-dev
