From ef80ca96faeee8d2a07cf87813ddf8fb0c18d700 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= Date: Thu, 27 Aug 2015 10:58:31 +0200 Subject: [PATCH] daemon: Require a signature for imports made by root. This reinstates commit aa0f8409, which was inadvertently undone in commit 322eeb87. Running 'guix archive --import' as root would have let corrupt or unauthentic store items through. Reported by Eric Hanchrow at . * nix/nix-daemon/nix-daemon.cc (performOp) : Pass true as the first argument to 'importPaths'. --- nix/nix-daemon/nix-daemon.cc | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/nix/nix-daemon/nix-daemon.cc b/nix/nix-daemon/nix-daemon.cc index 2b89190dbe..10159db62e 100644 --- a/nix/nix-daemon/nix-daemon.cc +++ b/nix/nix-daemon/nix-daemon.cc @@ -440,7 +440,10 @@ static void performOp(bool trusted, unsigned int clientVersion, case wopImportPaths: { startWork(); TunnelSource source(from); - Paths paths = store->importPaths(!trusted, source); + + /* Unlike Nix, always require a signature, even for "trusted" + users. */ + Paths paths = store->importPaths(true, source); stopWork(); writeStrings(paths, to); break;