From 886675991b643b701a33f533443db165c70692d1 Mon Sep 17 00:00:00 2001 From: Robert Helgesson Date: Thu, 3 Nov 2022 15:00:29 +0100 Subject: [PATCH] home-environment: reset PATH in activation script Starting with state version 22.11 we completely reset the PATH variable in the activation script. This is to avoid impurities and unexpected results if the activation script accidentally uses a command found in the user's PATH. --- docs/release-notes/rl-2211.adoc | 14 ++++++++++++++ modules/home-environment.nix | 24 ++++++++++++++++++++---- nixos/common.nix | 2 +- 3 files changed, 35 insertions(+), 5 deletions(-) diff --git a/docs/release-notes/rl-2211.adoc b/docs/release-notes/rl-2211.adoc index dccace68c..046995d52 100644 --- a/docs/release-notes/rl-2211.adoc +++ b/docs/release-notes/rl-2211.adoc @@ -97,3 +97,17 @@ These changes are only active if the `home.stateVersion` option is set to "22.11 value of <> if <> is enabled. Otherwise it is undefined and must be specified in the user configuration. + +* The activation script now resets `PATH` before running. Before, the +user's `PATH` environment variable would be used in the script and +this made it possible for commands in the activation script to run +arbitrary commands accessible to the user. We now restrict the +activation script to commands that are explicitly specified. ++ +There is no official way to restore the old behavior. We attempt to +make the activation script as reproducible as possible and honoring +the user's `PATH` reduces reproducibility. ++ +If you need to run a command in an activation script block then refer +to the command by its absolute command path, such as +`${pkgs.hello}/bin/hello`. diff --git a/modules/home-environment.nix b/modules/home-environment.nix index f609558e1..9d61cc99f 100644 --- a/modules/home-environment.nix +++ b/modules/home-environment.nix @@ -346,12 +346,18 @@ in home.emptyActivationPath = mkOption { internal = true; - default = false; type = types.bool; + default = versionAtLeast stateVersion "22.11"; + defaultText = literalExpression '' + false for state version < 22.11, + true for state version ≥ 22.11 + ''; description = '' Whether the activation script should start with an empty - PATH variable. When false - then the user's PATH will be used. + PATH variable. When false then the + user's PATH will be accessible in the script. It is + recommended to keep this at true to avoid + uncontrolled use of tools found in PATH. ''; }; @@ -672,7 +678,17 @@ in gnugrep gnused ncurses # For `tput`. - ] ++ config.home.extraActivationPath + ] + ++ optional (config.nix.enable && config.nix.package != null) config.nix.package + ++ config.home.extraActivationPath + ) + + ( + # Add path of the Nix binaries, if a Nix package is configured, then + # use that one, otherwise grab the path of the nix-env tool. + if config.nix.enable && config.nix.package != null then + ":${config.nix.package}/bin" + else + ":$(dirname $(readlink -m $(type -p nix-env)))" ) + optionalString (!cfg.emptyActivationPath) "\${PATH:+:}$PATH"; diff --git a/nixos/common.nix b/nixos/common.nix index bbc0f976a..25872b254 100644 --- a/nixos/common.nix +++ b/nixos/common.nix @@ -35,7 +35,7 @@ let # Make activation script use same version of Nix as system as a whole. # This avoids problems with Nix not being in PATH. - home.extraActivationPath = [ config.nix.package ]; + nix.package = config.nix.package; }; }) ] ++ cfg.sharedModules;