installer and activation: Sanitise PATH

This makes sure that the installation and activation processes are “pure”, i.e. they use only binaries from nixpkgs or ones that come with macOS. Closes #86.
2025-04-08 18:20:48 +00:00 · 2018-06-29 18:32:09 +03:00 · 2018-06-29 18:32:09 +03:00 · 26bab2fd32
commit 26bab2fd32
parent 9f18c93771
2 changed files with 6 additions and 3 deletions
--- a/modules/system/activation-scripts.nix
+++ b/modules/system/activation-scripts.nix
@ -40,7 +40,7 @@ in
      #! ${stdenv.shell}
      set -e
      set -o pipefail
-      export PATH=${pkgs.coreutils}/bin:@out@/sw/bin:${config.environment.systemPath}
+      export PATH="${pkgs.gnugrep}/bin:${pkgs.coreutils}/bin:@out@/sw/bin:/usr/bin:/bin"

      systemConfig=@out@

@ -83,7 +83,7 @@ in
      #! ${stdenv.shell}
      set -e
      set -o pipefail
-      export PATH=${pkgs.coreutils}/bin:@out@/sw/bin:${config.environment.systemPath}
+      export PATH="${pkgs.gnugrep}/bin:${pkgs.coreutils}/bin:@out@/sw/bin:/usr/bin:/bin"

      systemConfig=@out@

--- a/pkgs/darwin-installer/default.nix
+++ b/pkgs/darwin-installer/default.nix
@ -24,6 +24,9 @@ stdenv.mkDerivation {
  shellHook = ''
    set -e

+    orig_path="$PATH"
+    export PATH="${pkgs.openssh}/bin"  # In case nix needs it
+
    action=switch
    while [ "$#" -gt 0 ]; do
        i="$1"; shift 1
@ -58,7 +61,7 @@ stdenv.mkDerivation {
        read -p "Would you like edit the default configuration.nix before starting? [y/n] " i
        case "$i" in
            y|Y)
-                ''${EDITOR:-nano} "$config"
+                PATH="$orig_path" ''${EDITOR:-nano} "$config"
                ;;
        esac
    fi