diff --git a/docs/release-notes/rl-2211.adoc b/docs/release-notes/rl-2211.adoc index dccace68c..046995d52 100644 --- a/docs/release-notes/rl-2211.adoc +++ b/docs/release-notes/rl-2211.adoc @@ -97,3 +97,17 @@ These changes are only active if the `home.stateVersion` option is set to "22.11 value of <> if <> is enabled. Otherwise it is undefined and must be specified in the user configuration. + +* The activation script now resets `PATH` before running. Before, the +user's `PATH` environment variable would be used in the script and +this made it possible for commands in the activation script to run +arbitrary commands accessible to the user. We now restrict the +activation script to commands that are explicitly specified. ++ +There is no official way to restore the old behavior. We attempt to +make the activation script as reproducible as possible and honoring +the user's `PATH` reduces reproducibility. ++ +If you need to run a command in an activation script block then refer +to the command by its absolute command path, such as +`${pkgs.hello}/bin/hello`. diff --git a/modules/home-environment.nix b/modules/home-environment.nix index f609558e1..9d61cc99f 100644 --- a/modules/home-environment.nix +++ b/modules/home-environment.nix @@ -346,12 +346,18 @@ in home.emptyActivationPath = mkOption { internal = true; - default = false; type = types.bool; + default = versionAtLeast stateVersion "22.11"; + defaultText = literalExpression '' + false for state version < 22.11, + true for state version ≥ 22.11 + ''; description = '' Whether the activation script should start with an empty - PATH variable. When false - then the user's PATH will be used. + PATH variable. When false then the + user's PATH will be accessible in the script. It is + recommended to keep this at true to avoid + uncontrolled use of tools found in PATH. ''; }; @@ -672,7 +678,17 @@ in gnugrep gnused ncurses # For `tput`. - ] ++ config.home.extraActivationPath + ] + ++ optional (config.nix.enable && config.nix.package != null) config.nix.package + ++ config.home.extraActivationPath + ) + + ( + # Add path of the Nix binaries, if a Nix package is configured, then + # use that one, otherwise grab the path of the nix-env tool. + if config.nix.enable && config.nix.package != null then + ":${config.nix.package}/bin" + else + ":$(dirname $(readlink -m $(type -p nix-env)))" ) + optionalString (!cfg.emptyActivationPath) "\${PATH:+:}$PATH"; diff --git a/nixos/common.nix b/nixos/common.nix index bbc0f976a..25872b254 100644 --- a/nixos/common.nix +++ b/nixos/common.nix @@ -35,7 +35,7 @@ let # Make activation script use same version of Nix as system as a whole. # This avoids problems with Nix not being in PATH. - home.extraActivationPath = [ config.nix.package ]; + nix.package = config.nix.package; }; }) ] ++ cfg.sharedModules;