aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLudovic Courtès <ludo@gnu.org>2015-08-27 10:58:31 +0200
committerLudovic Courtès <ludo@gnu.org>2015-08-27 10:58:31 +0200
commitef80ca96faeee8d2a07cf87813ddf8fb0c18d700 (patch)
treef8af6411b0f483c42dbb5483a7a46baa6fe84348
parent54e515eb75491f4d32219c223d4c753afb0d2c48 (diff)
downloadguix-ef80ca96faeee8d2a07cf87813ddf8fb0c18d700.tar
guix-ef80ca96faeee8d2a07cf87813ddf8fb0c18d700.tar.gz
daemon: Require a signature for imports made by root.
This reinstates commit aa0f8409, which was inadvertently undone in commit 322eeb87. Running 'guix archive --import' as root would have let corrupt or unauthentic store items through. Reported by Eric Hanchrow <eric.hanchrow@gmail.com> at <http://bugs.gnu.org/21354>. * nix/nix-daemon/nix-daemon.cc (performOp) <wopImportPaths>: Pass true as the first argument to 'importPaths'.
-rw-r--r--nix/nix-daemon/nix-daemon.cc5
1 files changed, 4 insertions, 1 deletions
diff --git a/nix/nix-daemon/nix-daemon.cc b/nix/nix-daemon/nix-daemon.cc
index 2b89190dbe..10159db62e 100644
--- a/nix/nix-daemon/nix-daemon.cc
+++ b/nix/nix-daemon/nix-daemon.cc
@@ -440,7 +440,10 @@ static void performOp(bool trusted, unsigned int clientVersion,
case wopImportPaths: {
startWork();
TunnelSource source(from);
- Paths paths = store->importPaths(!trusted, source);
+
+ /* Unlike Nix, always require a signature, even for "trusted"
+ users. */
+ Paths paths = store->importPaths(true, source);
stopWork();
writeStrings(paths, to);
break;