Why is "netrc-file" not a restricted configuration-parameter?

Hello all!

In the past I used the command-line-parameter “–netrc-file” to provide Nix with credentials for git-repositories with restricted access. However, since upgrading from version 2.18 to 2.24, I get a warning on the command-line telling me that this was a restricted setting and I am not a trusted user: warning: ignoring the client-specified setting 'netrc-file', because it is a restricted setting and you are not a trusted user

My question is, why this change was made?

In advance, this is not a problem right now because it seems like the setting (contrary to the warning) does not get ignored. So it still works for me. But now my issue: The second question would be if it is really a good change. Regarding my scenario: Imagine working in a company with a terminal server where several people work, sharing one Nix-daemon. Each developer (or development-group) there may have her/his own restricted repositories and may provide different netrc-files for building and installing Nix-packages. Sharing one netrc-file for all is obviously not an option. Making users trusted is not an option as well since users are not managed locally and you won’t find them in “/etc/passwd” or “/etc/group” (rather managed by " System Security Services Daemon" instead). So adding them to “trusted-users” won’t work as well. What do you think? Can we somehow have (again) the feature that each developer may provide his/her own credentials without sharing them?

1 Like

I agree with you that this is problematic, for the reasons you describe. I think what’s happening with it not being ignored is: if the fetch operations are done by your nix client, then the setting is not ignored. This covers things like flake fetches. However, if the fetch is done by the daemon, then the netrc would be ignored. You get the warning either way. I think you can avoid the warning by putting the user in the daemon-running-as-root’s trusted-users configuration option but this doesn’t seem ideal either.

It would be good to see a proper solution here, or some clear reasoning of why the root nix-daemon can’t trust the netrc provided by the client.

@pwaller’s explanation about client and daemon is correct.

Accepting netrc file paths in the daemon would be risky because it may expose arbitrary file existence and/or contents to non-root users. Accepting netrc contents (by value) would be an improvement, but not completely risk-free either, but probably worth the tradeoff.
Eelco has work in progress on this topic: Pluggable authentication by edolstra · Pull Request #9857 · NixOS/nix · GitHub