home-environment: reset PATH in activation script

Starting with state version 22.11 we completely reset the PATH
variable in the activation script. This is to avoid impurities and
unexpected results if the activation script accidentally uses a
command found in the user's PATH.
This commit is contained in:
Robert Helgesson 2022-11-03 15:00:29 +01:00
parent d67776563e
commit 886675991b
Failed to generate hash of commit
3 changed files with 35 additions and 5 deletions

View file

@ -97,3 +97,17 @@ These changes are only active if the `home.stateVersion` option is set to "22.11
value of <<opt-xdg.userDirs.music>> if <<opt-xdg.userDirs.enable>> is value of <<opt-xdg.userDirs.music>> if <<opt-xdg.userDirs.enable>> is
enabled. Otherwise it is undefined and must be specified in the user enabled. Otherwise it is undefined and must be specified in the user
configuration. configuration.
* The activation script now resets `PATH` before running. Before, the
user's `PATH` environment variable would be used in the script and
this made it possible for commands in the activation script to run
arbitrary commands accessible to the user. We now restrict the
activation script to commands that are explicitly specified.
+
There is no official way to restore the old behavior. We attempt to
make the activation script as reproducible as possible and honoring
the user's `PATH` reduces reproducibility.
+
If you need to run a command in an activation script block then refer
to the command by its absolute command path, such as
`${pkgs.hello}/bin/hello`.

View file

@ -346,12 +346,18 @@ in
home.emptyActivationPath = mkOption { home.emptyActivationPath = mkOption {
internal = true; internal = true;
default = false;
type = types.bool; type = types.bool;
default = versionAtLeast stateVersion "22.11";
defaultText = literalExpression ''
false for state version < 22.11,
true for state version 22.11
'';
description = '' description = ''
Whether the activation script should start with an empty Whether the activation script should start with an empty
<envar>PATH</envar> variable. When <literal>false</literal> <envar>PATH</envar> variable. When <literal>false</literal> then the
then the user's <envar>PATH</envar> will be used. user's <envar>PATH</envar> will be accessible in the script. It is
recommended to keep this at <literal>true</literal> to avoid
uncontrolled use of tools found in PATH.
''; '';
}; };
@ -672,7 +678,17 @@ in
gnugrep gnugrep
gnused gnused
ncurses # For `tput`. ncurses # For `tput`.
] ++ config.home.extraActivationPath ]
++ optional (config.nix.enable && config.nix.package != null) config.nix.package
++ config.home.extraActivationPath
)
+ (
# Add path of the Nix binaries, if a Nix package is configured, then
# use that one, otherwise grab the path of the nix-env tool.
if config.nix.enable && config.nix.package != null then
":${config.nix.package}/bin"
else
":$(dirname $(readlink -m $(type -p nix-env)))"
) )
+ optionalString (!cfg.emptyActivationPath) "\${PATH:+:}$PATH"; + optionalString (!cfg.emptyActivationPath) "\${PATH:+:}$PATH";

View file

@ -35,7 +35,7 @@ let
# Make activation script use same version of Nix as system as a whole. # Make activation script use same version of Nix as system as a whole.
# This avoids problems with Nix not being in PATH. # This avoids problems with Nix not being in PATH.
home.extraActivationPath = [ config.nix.package ]; nix.package = config.nix.package;
}; };
}) })
] ++ cfg.sharedModules; ] ++ cfg.sharedModules;