Nushell: Added security for per-directory environment

Created on 11 Jun 2020  路  5Comments  路  Source: nushell/nushell

Is your feature request related to a problem? Please describe.
From Reddit, someone mentioned some additional security we could put on per-directory environments to harden them a bit further.

" Without that, it won't pick up the .nu-env file

I would be also check that file is not writable (and may be even not readble) by group and others. Like ssh do for some files inside ~/.ssh"

From: https://www.reddit.com/r/rust/comments/h01ysx/the_new_version_of_nushell_a_modern_shell_written/ftoma6x/

Describe the solution you'd like
Let's continue to explore what we can do to protect users from bad actors.

cc @samhedin

enhancement

Most helpful comment

Great, I'll get to it!

All 5 comments

This is a good idea. It shouldn't be more work than confirming file permissions before opening the file, I guess?

I would like to make a PR with this change along with other code changes I have been working on, but I don't know if I'll have time to finish those other changes this coming week (or if they end up being sensible at all). If not, I'll just make a PR with this alone unless someone else beats me to it.
As you say, we should continue to consider security here so I'm all ears.

We could also take the approach that direnv and many other similar technologies take: a "trust" subcommand for some other command:

> autoenv trust

That would update the config for the current directory with a timestamp and/or hash of the file contents. If it differs from the current values, we don't "source" it. The benefit here is that it may be more compatible when nushell is integrated with systems that don't have the same permissions concept as UNIX-y systems.

Yes, that approach sounds good too. Is that how https://direnv.net/ does it?

Yep, looks like it stores an "allow" file with a hash of the file contents:

https://github.com/direnv/direnv/blob/5f56f8dea66623dd05a85c9711e5a99f63194be5/rc.go#L42

Great, I'll get to it!

Was this page helpful?
0 / 5 - 0 ratings