home-environment: reset PATH in activation script
Starting with state version 22.11 we completely reset the PATH variable in the activation script. This is to avoid impurities and unexpected results if the activation script accidentally uses a command found in the user's PATH.
This commit is contained in:
parent
d67776563e
commit
886675991b
3 changed files with 35 additions and 5 deletions
|
@ -97,3 +97,17 @@ These changes are only active if the `home.stateVersion` option is set to "22.11
|
|||
value of <<opt-xdg.userDirs.music>> if <<opt-xdg.userDirs.enable>> is
|
||||
enabled. Otherwise it is undefined and must be specified in the user
|
||||
configuration.
|
||||
|
||||
* The activation script now resets `PATH` before running. Before, the
|
||||
user's `PATH` environment variable would be used in the script and
|
||||
this made it possible for commands in the activation script to run
|
||||
arbitrary commands accessible to the user. We now restrict the
|
||||
activation script to commands that are explicitly specified.
|
||||
+
|
||||
There is no official way to restore the old behavior. We attempt to
|
||||
make the activation script as reproducible as possible and honoring
|
||||
the user's `PATH` reduces reproducibility.
|
||||
+
|
||||
If you need to run a command in an activation script block then refer
|
||||
to the command by its absolute command path, such as
|
||||
`${pkgs.hello}/bin/hello`.
|
||||
|
|
|
@ -346,12 +346,18 @@ in
|
|||
|
||||
home.emptyActivationPath = mkOption {
|
||||
internal = true;
|
||||
default = false;
|
||||
type = types.bool;
|
||||
default = versionAtLeast stateVersion "22.11";
|
||||
defaultText = literalExpression ''
|
||||
false for state version < 22.11,
|
||||
true for state version ≥ 22.11
|
||||
'';
|
||||
description = ''
|
||||
Whether the activation script should start with an empty
|
||||
<envar>PATH</envar> variable. When <literal>false</literal>
|
||||
then the user's <envar>PATH</envar> will be used.
|
||||
<envar>PATH</envar> variable. When <literal>false</literal> then the
|
||||
user's <envar>PATH</envar> will be accessible in the script. It is
|
||||
recommended to keep this at <literal>true</literal> to avoid
|
||||
uncontrolled use of tools found in PATH.
|
||||
'';
|
||||
};
|
||||
|
||||
|
@ -672,7 +678,17 @@ in
|
|||
gnugrep
|
||||
gnused
|
||||
ncurses # For `tput`.
|
||||
] ++ config.home.extraActivationPath
|
||||
]
|
||||
++ optional (config.nix.enable && config.nix.package != null) config.nix.package
|
||||
++ config.home.extraActivationPath
|
||||
)
|
||||
+ (
|
||||
# Add path of the Nix binaries, if a Nix package is configured, then
|
||||
# use that one, otherwise grab the path of the nix-env tool.
|
||||
if config.nix.enable && config.nix.package != null then
|
||||
":${config.nix.package}/bin"
|
||||
else
|
||||
":$(dirname $(readlink -m $(type -p nix-env)))"
|
||||
)
|
||||
+ optionalString (!cfg.emptyActivationPath) "\${PATH:+:}$PATH";
|
||||
|
||||
|
|
|
@ -35,7 +35,7 @@ let
|
|||
|
||||
# Make activation script use same version of Nix as system as a whole.
|
||||
# This avoids problems with Nix not being in PATH.
|
||||
home.extraActivationPath = [ config.nix.package ];
|
||||
nix.package = config.nix.package;
|
||||
};
|
||||
})
|
||||
] ++ cfg.sharedModules;
|
||||
|
|
Loading…
Reference in a new issue