From ef80ca96faeee8d2a07cf87813ddf8fb0c18d700 Mon Sep 17 00:00:00 2001
From: Ludovic Courtès <ludo@gnu.org>
Date: Thu, 27 Aug 2015 10:58:31 +0200
Subject: daemon: Require a signature for imports made by root.

This reinstates commit aa0f8409, which was inadvertently undone in commit
322eeb87.

Running 'guix archive --import' as root would have let corrupt or unauthentic
store items through.

Reported by Eric Hanchrow <eric.hanchrow@gmail.com>
at <http://bugs.gnu.org/21354>.

* nix/nix-daemon/nix-daemon.cc (performOp) <wopImportPaths>: Pass true as the
  first argument to 'importPaths'.
---
 nix/nix-daemon/nix-daemon.cc | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'nix')

diff --git a/nix/nix-daemon/nix-daemon.cc b/nix/nix-daemon/nix-daemon.cc
index 2b89190dbe..10159db62e 100644
--- a/nix/nix-daemon/nix-daemon.cc
+++ b/nix/nix-daemon/nix-daemon.cc
@@ -440,7 +440,10 @@ static void performOp(bool trusted, unsigned int clientVersion,
     case wopImportPaths: {
         startWork();
         TunnelSource source(from);
-        Paths paths = store->importPaths(!trusted, source);
+
+	/* Unlike Nix, always require a signature, even for "trusted"
+	   users.  */
+        Paths paths = store->importPaths(true, source);
         stopWork();
         writeStrings(paths, to);
         break;
-- 
cgit v1.2.3