Skip to content

Prevent host PATH from leaking into nix build env#155

Open
alexhulbert wants to merge 3 commits into
mainfrom
ah/prevent-path-leak
Open

Prevent host PATH from leaking into nix build env#155
alexhulbert wants to merge 3 commits into
mainfrom
ah/prevent-path-leak

Conversation

@alexhulbert
Copy link
Copy Markdown
Member

@alexhulbert alexhulbert commented May 27, 2026

This makes sure that only nix-provided binaries are in the PATH when mkosi runs. It fixes the issue referenced in #152 and any future issues of the same class.

Tested both inside and outside Lima and it produces the same hashes on both.

@alexhulbert alexhulbert requested a review from a team as a code owner May 27, 2026 17:48
@alexhulbert alexhulbert requested a review from 0x416e746f6e May 27, 2026 17:48
@alexhulbert alexhulbert mentioned this pull request May 27, 2026
Closed
@alexhulbert
Copy link
Copy Markdown
Member Author

alexhulbert commented May 27, 2026

The listed packages in the changed flake.nix file are the only ones referenced by mkosi itself (or ones that make more sense to run outside of chroot)

@alexhulbert
Copy link
Copy Markdown
Member Author

alexhulbert commented May 28, 2026

@0x416e746f6e Made an update to this branch and did a thorough test on several environments. It effectively removes the /usr/bin and /usr/sbin prepended to the PATH for all mkosi files while preserving those PATHs in mkosi-chroot.

@0x416e746f6e
Copy link
Copy Markdown
Member

0x416e746f6e commented May 29, 2026

thanks. the update had fixed the build

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@0x416e746f6e 0x416e746f6e 0x416e746f6e approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@alexhulbert @0x416e746f6e