-
-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
restrict-eval and readFile on builtins.path #3234
Comments
|
Indeed |
I marked this as stale due to inactivity. → More info |
has this been resolved? |
Perhaps #5163 ? |
I marked this as stale due to inactivity. → More info |
I believe this is solved. Re-open if needed. |
There is something I do not understand about
restrict-eval
. My assumption was that it disallowed anyreadFile
et al. from derivations, but that appears not to be the case. I put together this Nix snippet, of which some targets fail to evaluate, which I cannot explain:It is basically different ways of reading a file, which may or may not come from a derivation. Run with the following command:
p1
working makes sense.p2
working makes sense as well, since we create apath
from an existing path.p3
failing fits with my understanding of restrict-eval preventing reading from derivation, as well asp4
,p6
andp7
failing.p5
working fits my new understanding that restrict-eval does not prevent reading from derivation. This however contradicts the point above.p8
is a complete mystery, unlessbuiltins.path
itself creates some issue that is then resolved by wrapping everything in a (non-builtins.path
) derivation.The question is: is this a bug in
builtins.path
? if not, what is the benefit of preventing access tobuiltins.path
derivations (p7
), but not to derivations importingbuiltins.path
(p8
)?EDIT: I just discovered the option
allow-import-from-derivation
. When set tofalse
,p5
andp8
fail as well, which makes sense. I then do believe that the issue here is a bug inbuiltins.path
.The text was updated successfully, but these errors were encountered: