| 15 Jul 2025 |
 aloisw | In reply to @raitobezarius:matrix.org
Fallback logic tries to go for /run/user/$UID first then fallback to /tmp Is it big enough?
tmpfs on /run/user/1000 type tmpfs (rw,nosuid,nodev,relatime,size=4045880k,nr_inodes=1011470,mode=700,uid=1000,gid=100)
| 18:09:30 |
 raitobezarius | that's my concern as well… | 18:09:44 |
| raitobezarius | but can be fixe | 18:09:46 |
| raitobezarius | * but can be fixed | 18:09:47 |
| raitobezarius | and also supposed to stage only builds that cannot go via /nix/var/nix/builds | 18:09:54 |
| aloisw | Agreed, the hardening also seems a lot more important in the privileged case anyway. | 18:13:13 |
| aloisw | Or maybe not, given that the arbitrary directory delete may not come from Lix? But I fail to come up with a reasonable threat model here in any case. | 18:14:39 |
| aloisw | Also we might need to nest the build directory in a not world-executable path to prevent the builder from allowing external processes to place sockets into it? | 18:18:52 |
| aloisw | (regarding the sockets stuff, not CVE-2025-52991, it just came to my mind again due to talking about the nested build directory) | 18:19:44 |
| raitobezarius | In reply to @aloisw:julia0815.de
Or maybe not, given that the arbitrary directory delete may not come from Lix? But I fail to come up with a reasonable threat model here in any case. I feel like you could either analyze it from: integrity, confidentiality and availability perspective OR a random multi-user Lix installation on a personal system (laptop/desktop/etc) OR a random multi-user Lix installation on a server OR a multi-tenant Lix worker for a CI system, etc. | 18:41:27 |
| raitobezarius | I think specialized systems like CI systems, etc. are already aware to invest into hardening methods and additional sandboxing | 18:41:44 |
| raitobezarius | So their blast radius should be controlled when it comes to this | 18:41:53 |
| raitobezarius | Running Lix on a server is classical but also meh, it's mostly used similarly as a personal system albeit you don't download random attachements and shit from where not | 18:42:32 |
| raitobezarius | So random multi user Lix installation on a personal system is the most important scenario here that matters to me | 18:42:46 |
| raitobezarius | By default, it should be staging builds in /nix/var/nix/builds, except if you opt-in in a new directory or you are running weird commands that make it fallback to non-daemon connections and cause you to use a tmp directory, at this point, bets are off.
Ideally, if you end up doing that, it would be nice if we could make people do something like systemd-run -p $HARDENING nix ... | 18:43:35 |
| raitobezarius | instead of just nix ... | 18:43:38 |
| raitobezarius | Arbitrary directory delete can cause integrity or availability issues, but not confidentiality ones | 18:44:00 |
| raitobezarius | In reply to @aloisw:julia0815.de
Also we might need to nest the build directory in a not world-executable path to prevent the builder from allowing external processes to place sockets into it? Can you open an issue for this? | 18:44:56 |
 emily | /run/user does not work for Darwin, but $TMPDIR is per-user on Darwin. unfortunately, the path is much too long | 19:04:50 |
| emily | (e.g. /var/folders/yd/mh726b5d2vqfyp132jtzq9t80000gn/T/) | 19:04:54 |
 jade_ | at work at the moment, can look after. I am highly surprised at there being a regression in sending emails | 19:23:26 |
| raitobezarius | In reply to @jade_:matrix.org
at work at the moment, can look after. I am highly surprised at there being a regression in sending emails this is fixed | 20:23:39 |
| raitobezarius | MIXED cannot be used because we use different set of emails | 20:23:47 |
| raitobezarius | the fix is on infra | 20:23:50 |
| raitobezarius | In reply to @emilazy:matrix.org
/run/user does not work for Darwin, but $TMPDIR is per-user on Darwin. unfortunately, the path is much too long "the path is much too long" (sic) | 20:24:08 |
| raitobezarius | okie | 20:24:25 |
| jade_ | wait whut | 20:58:22 |
| jade_ | MIXED should mean that it puts "Sender Name (Code Review) <instance@instance.instance" | 20:58:47 |
| jade_ | * MIXED should mean that it puts "Sender Name (Code Review) <instance@instance.instance>" | 20:58:48 |
| raitobezarius | instance := gerrit instead of noreply | 20:58:55 |
