Skip to content

treewide: Replace PosixSourceAccessor::createAtRoot with makeFSSourceAccessor #14809

Draft
xokdvium wants to merge 2 commits intomasterfrom
makefs-source-accessor-tests
Draft

treewide: Replace PosixSourceAccessor::createAtRoot with makeFSSourceAccessor #14809
xokdvium wants to merge 2 commits intomasterfrom
makefs-source-accessor-tests

Conversation

@xokdvium
Copy link
Contributor

@xokdvium xokdvium commented Dec 16, 2025

Motivation

We'd like to split out the implementation into Unix/Windows-specific
parts to more easily iterate on improving UNIX accessors to make use
of dirfd-based operations (or even openat2). This should be hidden behind
the appropriate interface and not exposed as a static member function of
the PosixSourceAccessor.

Tests should be pretty self-explanatory. We didn't really have unit tests
for the filesystem source accessor. Now we do and this will be immensely
useful for implementing a unix-only smarter accessor that doesn't suffer
from TOCTOU on symlinks.

Context

Add 👍 to pull requests you find important.

The Nix maintainer team uses a GitHub project board to schedule and track reviews.

@xokdvium
treewide: Get rid of PosixSourceAccessor::createAtRoot
8b00263 
We'd like to split out the implementation into Unix/Windows-specific
parts to more easily iterate on improving UNIX accessors to make use
of dirfd-based operations (or even openat2). This should be hidden behind
the appropriate interface and not exposed as a static member function of
the PosixSourceAccessor.
@xokdvium
libutil-tests: Add tests for makeFSSourceAccessor
bb5d2e9 
Should be pretty self-explanatory. We didn't really have unit tests
for the filesystem source accessor. Now we do and this will be immensely
useful for implementing a unix-only smarter accessor that doesn't suffer
from TOCTOU on symlinks.
@xokdvium xokdvium requested a review from Ericson2314 December 16, 2025 00:07
@xokdvium xokdvium requested a review from edolstra as a code owner December 16, 2025 00:07
@github-actions github-actions bot added the new-cli Relating to the "nix" command label Dec 16, 2025
xokdvium
xokdvium commented Dec 16, 2025
View reviewed changes
src/libutil/include/nix/util/posix-source-accessor.hh
*
* The `PosixSourceAccessor` is rooted as far up the tree as
* possible, (e.g. on Windows it could scoped to a drive like
* `C:\`). This allows more `..` parent accessing to work.
Copy link
Contributor Author

@xokdvium xokdvium Dec 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

None of the call-sites actually relied on the .. behaviour it looks like. dumpPath only traverses down - not upwards.

xokdvium
xokdvium commented Dec 16, 2025
View reviewed changes
src/libutil/include/nix/util/posix-source-accessor.hh
Comment on lines -63 to -64
* @note A canonicalizing behavior is not built in `createAtRoot` so that
* callers do not accidentally introduce symlink-related security vulnerabilities.
Copy link
Contributor Author

@xokdvium xokdvium Dec 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also considering just how racy the PosixSourceAccessor is due to the lstat cache this is pretty much just a farce anyway. We'll be redoing this with fd-based accessor. The correct approach would be to use openFileEnsureBeneathNoSymlinks for this path and that will do the right thing.

@Ericson2314
Copy link
Member

Ericson2314 commented Dec 16, 2025

There is one use-case of PosixSourceAccessor::createAtRoot I think would be legitimate, which is for (relative) path literals on Windows with impure eval.

For everything else, yes please let's use makeFSSourceAccessor. And all the ones that try to get the root (on Unix) and use a canon path, please use makeFSSourceAccessor too.

@Ericson2314
Copy link
Member

Ericson2314 commented Dec 16, 2025

Can you make the second commit its own PR? I would like to land that, and per the above to makeFSSourceAccessor, but not get rid of createAtRoot just yet.

@xokdvium
Copy link
Contributor Author

xokdvium commented Dec 16, 2025

And all the ones that try to get the root (on Unix) and use a canon path, please use makeFSSourceAccessor too.

Not easily done for now because that would mean that we'd start following symlinks in quite a few places. I've tried my best o not change the semantics of symlink following for the UNIX case (also for mingw we don't care about symlinks).
Would you be fine with going with this change and after we've switched to separate unix/windows accessors? That way I'd be able to use the non-following opens in makeFSSourceAccessor in the UNIX case.

@xokdvium
Copy link
Contributor Author

xokdvium commented Dec 16, 2025

There is one use-case of PosixSourceAccessor::createAtRoot I think would be legitimate, which is for (relative) path literals on Windows with impure eval.

But I don't think its on master for now? Anyway, I'd really like to hide PosixSourceAccessor from the header to make progress on this.

@xokdvium xokdvium mentioned this pull request Dec 17, 2025
Merged
@xokdvium xokdvium marked this pull request as draft January 19, 2026 19:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Ericson2314 Ericson2314 Awaiting requested review from Ericson2314

@edolstra edolstra Awaiting requested review from edolstra edolstra is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

new-cli Relating to the "nix" command

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@xokdvium @Ericson2314