Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NIX_IGNORE_SYMLINK_STORE is broken due to libarchive flags #5484

Open
marcgalois opened this issue Nov 3, 2021 · 3 comments
Open

NIX_IGNORE_SYMLINK_STORE is broken due to libarchive flags #5484

marcgalois opened this issue Nov 3, 2021 · 3 comments
Labels
bug stale

Comments

@marcgalois
Copy link

I have /nix set up as a symlink, which has been working so long as I have the NIX_IGNORE_SYMLINK_STORE set. Since upgrading nix, running nix-channel --update nixpkgs has failed:

$ nix-channel --update nixpkgs
unpacking channels...
error: failed to extract archive (Cannot extract through symlink /nix/store/z80i5ddckxmgn615ql8hjh53fa5crhcw-nixpkgs-21.11pre327016.550dab224a2/nixpkgs-21.11pre327016.550dab224a2)
error: builder for '/nix/store/3rj42ir1zp9hymapmrraars7sng0lbkj-nixpkgs-21.11pre327016.550dab224a2.drv' failed with exit code 1
error: program '/nix/store/jw96hf2xbbb0kw7hia79zlry1v67pzdq-nix-2.4pre-rc1/bin/nix-env' failed with exit code 100

Steps To Reproduce

  1. Set up /nix as a symlink
  2. Set NIX_IGNORE_SYMLINK_STORE to 1
  3. Run nix-channel --update nix-pkgs
  4. See error

Expected behavior

Nix should successfully fetch the new channels

nix-env --version output

nix-env (Nix) 2.4pre-rc1

Root cause

Presumable for security reasons, Nix passes the ARCHIVE_EXTRACT_SECURE_SYMLINKS flag to libarchive. As a result, libarchive refuses to extract through the /nix symlink.

I was going to submit a patch for this problem, which would only add the ARCHIVE_EXTRACT_SECURE_SYMLINKS flag if the allowSymlinkedStore setting was not enabled. Unfortunately, tarfile.cc doesn't seem to have access to the global settings, and so fixing this bug in this manner would require extra plumbing. One alternative would be to just remove the flag entirely (which shouldn't be any less secure than what was being done previously), but it'd probably be preferable to conditionally disable it.
@marcgalois marcgalois added the bug label Nov 3, 2021
@zmre
Copy link

zmre commented Nov 19, 2021

This is making life difficult for me, as well. Anyone have workarounds? Maybe manually downloading and unpacking into the right spot?

@cole-h
Copy link
Member

cole-h commented Nov 20, 2021

Until there's a good alternative, you could always patch that singular flag out for your local machines.

@marcgalois
Copy link
Author

This is the diff that I've been using locally. It removes the requisite flag and stops nix from running tests on nix-build, so that nix-build for the repo runs faster.

patch.diff.txt

@stale stale bot added the stale label Aug 12, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@zmre @cole-h @marcgalois