<Ashy>
that post reminds me i've been thinking about how nix could be a super useful performance benchmarking tool for various projects (not just rust)
<eyJhb>
Wondering how hard it is to recover a Windows host that might have been infected versus a NixOS host?
<eyJhb>
I am guessing, worst case would be, if still access to NixOS is to validate the daemon files manually, and then force a ingregrity check, to ensure the store has not been tampered with
<eyJhb>
Whereas Windows is just, out of luck?
waleee-cl has joined #nixos-chat
<philipp[m]>
I don't think you could trust the system if the store was fixed. An attacker could have put a malicious file in $PATH that is outside of the nix store.
<eyJhb>
Well, having tmpfs or erase your darlings would not allow files to be placed all over, and the PATH is controlled from the store besides that
<eyJhb>
Having a warnfs would be cool. Sending alerts when a file is written to outside of a whitelist as well
<eyJhb>
but yeah philipp[m] , they could do that, but I would assume that the PATH is Nix controlled, etc.
<eyJhb>
I will still assume recovery of a NixOS system is easier than most?
<eyJhb>
Dunno if adisbladis gchristensen have any experiecnce?
<eyJhb>
Or srhb
<philipp[m]>
That really depends on the system and the attack. For example I think the answer for a production server would be "you should be able to replicate that anyway within minutes, just throw it away and spool up a new instance".
<philipp[m]>
Desktop could be trickier. I guess manually verifying your nix config, setting up a new home for all users and manually moving non infected files back. Probably still less pain than windows.
<srhb>
eyJhb: With what exactly?
<srhb>
Recovery in general? Yeah, of course delete and start over is preferable, and the way I design things if I can possibly get away with it, but I've been responsible for some fairly wild NixOS (and nix-on-something-else) deployments where that wasn't immediately possible. You can certainly recover from a lot of situations where you'd probably just give up were it not for Nix.
<eyJhb>
With potential malware on a NixOS production system, or something along those lines. General any recover sutiation
<srhb>
Ah
<eyJhb>
Yeah, that is what I would assume would be the best
<srhb>
In that case I'd most certainly nuke, but I've never heard of such an attack. Maybe we're complacent.
parsley936 has joined #nixos-chat
<eyJhb>
Not sure if you can say if DBCDK has tried any/had any
<eyJhb>
Hmm, maybe
<srhb>
We have not had malware attacks on NixOS servers (that we know of) ;)
<eyJhb>
I would just guess it is a huge selling point, to "easily" check if a system is consistent and ingegrity check it
<srhb>
Yes, indeed.
<eyJhb>
So only other *nix distributions? ;)
<srhb>
Also, things like vulnix etc.
<srhb>
I can't comment on that, it's not my domain :)
<Mic92>
Its probably a lot security by obscurity with NixOS right now. Many dynamically linked malware would simply not run.
<Mic92>
However I can see how hardening could be achived by not allow programs outside the nix store to be executed.
<Valodim>
until the hackers start writing reproducible exploit nix expressions
<Mic92>
And than checking everything that is in the nix store.
<Mic92>
You can also check on the machine itself what signatures a path has.
<Mic92>
And detect locally built derivations
<Mic92>
Might be also interesting to limit the amount of users that are allowed to access the nix daemon socket.
<eyJhb>
Valodim: yeah, but you could easily get rid of this malware. Validate the configs, purge everything else than the current build
<eyJhb>
Mic92: agreed
<eyJhb>
No root access! \s
<adisbladis>
eyJhb: For sure NixOS recovery is easier than most
<adisbladis>
But I still wouldn't trust any "recovered" system
<adisbladis>
If it's pwnt you start fresh
<eyJhb>
Also, if you can nix-build, I guess you have root
<eyJhb>
But starting fresh is much easier in NixOS, so :D
<eyJhb>
If you have done it right at least
<eyJhb>
I would just HATE to have to clean a Windows system
<srhb>
eyJhb: nix-build does not equal root unless you trust every store path in the store (which you shouldn't)
<srhb>
Only the ones produced by expressions you trust. :)
<eyJhb>
Can't you make a nix expression that SETUID with root, that you can run?
<adisbladis>
No
<adisbladis>
The nix store doesn't support setuid
<eyJhb>
We need to support that! \s
<srhb>
eyJhb: That' what we have security wrappers for in NixOS
<eyJhb>
I still need a NixOS challenge for Aarhus CTF 2020
<eyJhb>
But would require it to run in Docker :(
<Mic92>
eyJhb: there are nix expressions to build windows with nix
<philipp[m]>
I had a look whether I could do something about that 20.03 channel blocker and all I can say that: Wow, vala looks really annoying to debug.
<eyJhb>
On a completely unrelated note, time to read up on the exams without access to the course materals because the site is totally 100% not down.
<Mic92>
adisbladis: how many hairs did you loose when building wfvm ?
<adisbladis>
Mic92: Over 9000
<eyJhb>
You have lots anyway adisbladis
<Mic92>
I just imagine you beeing bald by now
<eyJhb>
`iboughtthisone`
<eyJhb>
Suuuuuuuuuure
<eyJhb>
How do you handle installs?
<eyJhb>
I want to write a rootkit for NixOS soo badly now
__monty__ has quit [Quit: leaving]
<Ashy>
Mic92: ah nice, i should clean that repo up a bit make it easy to run some of the bigger benchmark groups
waleee-cl has quit [Quit: Connection closed for inactivity]
xd1le has joined #nixos-chat
<eyJhb>
srhb: forcefully got adisbladis to merge the PR :D
neeasade has joined #nixos-chat
avn has joined #nixos-chat
<Valodim>
I'm trying to get a super basic flake to work to build my system following the flakes part 3 blog post. I get this error, and I triple-checked I don't get what I'm doing different from the blog post
<Valodim>
"flake 'github:NixOS/nix/b3e73547a03f068ae4dd9cca4bc865cde85c8dec' does not provide attribute 'packages.x86_64-linux.nixosConfigurations."calamity".config.system.build.toplevel'"
<Valodim>
does the 20.03 flake not yet have what the blog post requires yet, or something?
<Valodim>
the flake is basically nothing besides `nixosConfigurations.calamity = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; modules = [ ./configuration.nix ]; }`
<Valodim>
or is `nixpkgs.lib.nixosSystem` not actually what I want? if so, the blog post doesn't specify >_>
<Valodim>
ooohhhhh
<bqv>
lol
<Valodim>
so this: "nixos-rebuild build --flake nix" will not build the flake that's in a directory "nix"
<Valodim>
this will: "nixos-rebuild build --flake nix/"
<bqv>
you should use explicitly relative paths
<bqv>
disambiguates entirely
<bqv>
nix -> ./nix
<Valodim>
I'm fine if that's a rule inside nix expressions, but getting arcane error messages when I didn't consider this at shell level was pretty damn frustrating
<bqv>
you're now dealing with flake URIs, not dumb attrpaths
<bqv>
`nix` will resolve to nix#defaultPackage.${currentSystem} first
<bqv>
.yj
<bqv>
*etc
cole-h has joined #nixos-chat
<eyJhb>
bqv: dvorak?
<bqv>
ish
<eyJhb>
Colemak?
<bqv>
programmer-dvorak for text, british-qwerty for commands
<bqv>
the constant context switching keeps me on my toes
<bqv>
and means i can mostly keep my muscle memories
<eyJhb>
Weeellllllll
<eyJhb>
That does not sound nice :p
<bqv>
what can i say, i'm a masochist
<bqv>
what in the world
<bqv>
woman just crashed my emacs
<bqv>
also, why is woman so much heavier and slower than man
neeasade has quit [Remote host closed the connection]
* philipp[m]
tries hard not to do immature jokes
<philipp[m]>
I have that problem, too.
jasongrossman has joined #nixos-chat
rajivr has quit [Quit: Connection closed for inactivity]
<crazazy[m]>
bqv: is this because of the DT video?
<bqv>
hm?
<bqv>
i dunno what that is
<bqv>
i don't youtube
<crazazy[m]>
oh
<crazazy[m]>
guy does linux software videos. when he covered guix 4chan started to get spammed with guix discussions
<crazazy[m]>
which quickly got derailed into political arguments on wether guix should've made their joint statement against stallman or not
<crazazy[m]>
in typical /g/ fashion, of course
<bqv>
curious
<crazazy[m]>
also found it funny that he was pretty positive about guix, but when he tried installing nixos like 2 or so years back he was complaining about the operating system
<eyJhb>
I am not sure how, but I am making this code uglier, while it still does the same
<bqv>
that's wacky
<bqv>
i think i'll just start fresh
<bqv>
especially cause i'd rather not use github pull requests
<Mic92>
Directly push to master?
<eyJhb>
` then (recursiveUpdate depValue (stdenv.lib.elemAt (stdenv.lib.attrValues (stdenv.lib.getAttrs [ depName ] moduleOverrides)) 0 ) )` I have this, and should stop torturing Nix for today
<bqv>
Mic92: i meant something using refs/pull or similar would do