* Fix nix-prefetch-url in setuid Nix installations.
This commit is contained in:
parent
99da51d4de
commit
88888160d2
1 changed files with 20 additions and 9 deletions
|
@ -7,9 +7,18 @@ if test -z "$url"; then
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# !!! race? should be relatively safe, `svn export' barfs if $tmpPath exists.
|
# !!! race
|
||||||
tmpPath1=@storedir@/nix-prefetch-url-$$
|
tmpPath1=@storedir@/nix-prefetch-url-$$
|
||||||
|
|
||||||
|
# Test whether we have write permission in the store. If not, fetch
|
||||||
|
# to /tmp and don't copy to the store. This is a hack to make this
|
||||||
|
# script at least work somewhat in setuid installations.
|
||||||
|
if ! touch $tmpPath1 2> /dev/null; then
|
||||||
|
echo "(cannot write to the store, result won't be cached)" >&2
|
||||||
|
dummyMode=1
|
||||||
|
tmpPath1=/tmp/nix-prefetch-url-$$ # !!! security?
|
||||||
|
fi
|
||||||
|
|
||||||
# Perform the checkout.
|
# Perform the checkout.
|
||||||
@curl@ --fail --location --max-redirs 20 "$url" > $tmpPath1
|
@curl@ --fail --location --max-redirs 20 "$url" > $tmpPath1
|
||||||
|
|
||||||
|
@ -17,22 +26,24 @@ tmpPath1=@storedir@/nix-prefetch-url-$$
|
||||||
hash=$(@bindir@/nix-hash --flat $tmpPath1)
|
hash=$(@bindir@/nix-hash --flat $tmpPath1)
|
||||||
echo "hash is $hash" >&2
|
echo "hash is $hash" >&2
|
||||||
|
|
||||||
# Rename it so that the fetchsvn builder can find it.
|
# Rename it so that the fetchurl builder can find it.
|
||||||
tmpPath2=@storedir@/nix-prefetch-url-$hash
|
if test "$dummyMode" != 1; then
|
||||||
test -e $tmpPath2 || mv $tmpPath1 $tmpPath2 # !!! race
|
tmpPath2=@storedir@/nix-prefetch-url-$hash
|
||||||
|
test -e $tmpPath2 || mv $tmpPath1 $tmpPath2 # !!! race
|
||||||
|
fi
|
||||||
|
|
||||||
# Create a Nix expression that does a fetchsvn.
|
# Create a Nix expression that does a fetchurl.
|
||||||
storeExpr=$( \
|
storeExpr=$( \
|
||||||
echo "(import @datadir@/nix/corepkgs/fetchurl) \
|
echo "(import @datadir@/nix/corepkgs/fetchurl) \
|
||||||
{url = $url; md5 = \"$hash\"; system = \"@system@\";}" \
|
{url = $url; md5 = \"$hash\"; system = \"@system@\";}" \
|
||||||
| @bindir@/nix-instantiate -)
|
| @bindir@/nix-instantiate -)
|
||||||
|
|
||||||
# Realise it.
|
# Realise it.
|
||||||
finalPath=$(@bindir@/nix-store -qnB --force-realise $storeExpr)
|
finalPath=$(@bindir@/nix-store -qnB --force-realise $storeExpr)
|
||||||
|
|
||||||
echo "path is $finalPath" >&2
|
echo "path is $finalPath" >&2
|
||||||
|
|
||||||
rm -rf $tmpPath2 || true
|
rm -rf $tmpPath1 $tmpPath2 || true
|
||||||
|
|
||||||
echo $hash
|
echo $hash
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue