Mastodawn

Nix security advisory: Privilege escalation via symlink following during FOD output registration

https://discourse.nixos.org/t/nix-security-advisory-privilege-escalation-via-symlink-following-during-fod-output-registration/76900

#security #nixpkgs #nixos

Nix security advisory: Privilege escalation via symlink following during FOD output registration

Summary Nix daemon is vulnerable to arbitrary file overwrites as the daemon user (root on NixOS and in multi-user installations). The issue is identified as GHSA-g3g9-5vj6-r3gj with CVE assignment pending. All users allowed to submit builds to the Nix daemon (allowed-users, everyone by default) can achieve arbitrary file writes as root and subsequent privilege escalation. Am I affected? All Nix versions since 2.21 and patch releases >=2.18.2,>=2.19.4,>=2.20.5 prior to 2.34.5, 2.33.4, 2.32.7, 2...

NixOS Discourse

Ori

(Inara)15h ago

I am starting to understand more and more why #nix critters don't bother merging their stuff into #nixpkgs

Like there is a non-0 chance of me just being stupid but wtf is this
https://github.com/NixOS/nixpkgs/pull/499520#pullrequestreview-4063026079

- posted by Valerie

ｔｏ⟁ｓｔ⟁ｌ 1d ago

420 commits (the weed number) into Nixpkgs with this absolute pedantry https://github.com/NixOS/nixpkgs/pull/506286#issuecomment-4191348211

It puts the “stone” in milestones amirite?

#nix #nixpkgs

treewide: fix typo of NPM → npm by toastal · Pull Request #506286 · NixOS/nixpkgs

the official name casing is “npm” Things done Built on platform: x86_64-linux aarch64-linux x86_64-darwin aarch64-darwin Tested, as applicable: NixOS tests in nixos/tests. Package tests...

GitHub

Sigma 4d ago

I wrote a small web dashboard to sort and search through build logs :D

https://discourse.nixos.org/t/nixpkgs-failure-dashboard/76790

#nix #nixos #nixpkgs

musicmatze

4d ago

I was just accused of maybe not being a real human in a PR comment in #nixpkgs

https://github.com/NixOS/nixpkgs/pull/504616#issuecomment-4180196409

What the actual fuck?

khard: fix build failure caused by sphinx by wrvsrx · Pull Request #504616 · NixOS/nixpkgs

reference: sphinx-doc/sphinx#14333 (comment) Things done Built on platform: x86_64-linux aarch64-linux x86_64-darwin aarch64-darwin Tested, as applicable: NixOS tests in nixos/tests. P...

GitHub

Benedikt Ritter (he/him)Mar 21

🚨 New Blog Post Alert: Kotlin-lsp Packaging Pt 2

First time dealing with prebuilt binaries in Nix. What looked like a simple version bump ended up involving a native library, some patchelf debugging, and pulling in libgcc for libgcc_s.so.1.

autoPatchelfHook from nixpkgs made it fairly straightforward in the end.

#nixos #nix #nixpkgs #kotlin #neovim #lsp

Packaging kotlin-lsp for NixVim (Part 2)

How a version bump exposed native library dependencies in kotlin-lsp and what it takes to package them on NixOS

Felix Singer Mar 16

Edit: It got merged :)

Any #nixos people here on #fediverse willing to review this pull request hardening the #Jenkins module in #nixpkgs and maybe even willing to merge it? That would be appreciated.

Also, would be great to have one more maintainer for the package and module.

https://github.com/NixOS/nixpkgs/pull/472066

nixos/jenkins: Set ProtectSystem to strict by felixsinger · Pull Request #472066 · NixOS/nixpkgs

Protect most files and directories from being read or written by setting ProtectSystem to strict. Exclude the Jenkins state directory from that protection. https://www.freedesktop.org/software/syst...

GitHub

Project Insanity Mar 10

Move #Nextcloud-packages to the new directory structure `pkgs/by-name` in #NixOS #nixpkgs ♻️ https://github.com/NixOS/nixpkgs/pull/498519

Part of my work for @nextcloud and @synyx

Adam Dinwoodie Mar 8

#NixOS / #nixpkgs questions: I'm running against nixos-unstable. Home Manager has a "news" feature that tells me when things change in ways I might care about. Does anyone have a cunning way to get notified about changes to the Nixpkgs and NixOS release notes?

I can write my own monitoring script, but if there's a way of doing this that doesn't require reinventing this particular wheel, that'd be preferable!

chfkch

Mar 7

Does anbody know what files i need to remove except `/var/lib/stalwart-mail` to completely scrub it off the system? I had a test ]nstance running and want to use it prosuctively, but don't want to upgrade from and old version across 3 point releases manually.

Maybe @stalwartlabs ?

#NixOS #NixPkgs #StalwartMail