* Fix nix-prefetch-url in setuid Nix installations.
This commit is contained in:
parent
99da51d4de
commit
88888160d2
1 changed files with 20 additions and 9 deletions
|
@ -7,9 +7,18 @@ if test -z "$url"; then
|
|||
exit 1
|
||||
fi
|
||||
|
||||
# !!! race? should be relatively safe, `svn export' barfs if $tmpPath exists.
|
||||
# !!! race
|
||||
tmpPath1=@storedir@/nix-prefetch-url-$$
|
||||
|
||||
# Test whether we have write permission in the store. If not, fetch
|
||||
# to /tmp and don't copy to the store. This is a hack to make this
|
||||
# script at least work somewhat in setuid installations.
|
||||
if ! touch $tmpPath1 2> /dev/null; then
|
||||
echo "(cannot write to the store, result won't be cached)" >&2
|
||||
dummyMode=1
|
||||
tmpPath1=/tmp/nix-prefetch-url-$$ # !!! security?
|
||||
fi
|
||||
|
||||
# Perform the checkout.
|
||||
@curl@ --fail --location --max-redirs 20 "$url" > $tmpPath1
|
||||
|
||||
|
@ -17,22 +26,24 @@ tmpPath1=@storedir@/nix-prefetch-url-$$
|
|||
hash=$(@bindir@/nix-hash --flat $tmpPath1)
|
||||
echo "hash is $hash" >&2
|
||||
|
||||
# Rename it so that the fetchsvn builder can find it.
|
||||
tmpPath2=@storedir@/nix-prefetch-url-$hash
|
||||
test -e $tmpPath2 || mv $tmpPath1 $tmpPath2 # !!! race
|
||||
# Rename it so that the fetchurl builder can find it.
|
||||
if test "$dummyMode" != 1; then
|
||||
tmpPath2=@storedir@/nix-prefetch-url-$hash
|
||||
test -e $tmpPath2 || mv $tmpPath1 $tmpPath2 # !!! race
|
||||
fi
|
||||
|
||||
# Create a Nix expression that does a fetchsvn.
|
||||
# Create a Nix expression that does a fetchurl.
|
||||
storeExpr=$( \
|
||||
echo "(import @datadir@/nix/corepkgs/fetchurl) \
|
||||
echo "(import @datadir@/nix/corepkgs/fetchurl) \
|
||||
{url = $url; md5 = \"$hash\"; system = \"@system@\";}" \
|
||||
| @bindir@/nix-instantiate -)
|
||||
| @bindir@/nix-instantiate -)
|
||||
|
||||
# Realise it.
|
||||
finalPath=$(@bindir@/nix-store -qnB --force-realise $storeExpr)
|
||||
|
||||
|
||||
echo "path is $finalPath" >&2
|
||||
|
||||
rm -rf $tmpPath2 || true
|
||||
rm -rf $tmpPath1 $tmpPath2 || true
|
||||
|
||||
echo $hash
|
||||
|
||||
|
|
Loading…
Reference in a new issue