From 26bab2fd3290b42a3df54db291f0d8775f128857 Mon Sep 17 00:00:00 2001
From: Kirill Elagin <kirelagin@gmail.com>
Date: Fri, 29 Jun 2018 18:32:09 +0300
Subject: [PATCH 1/2] installer and activation: Sanitise PATH
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This makes sure that the installation and activation processes are “pure”,
i.e. they use only binaries from nixpkgs or ones that come with macOS.

Closes #86.
---
 modules/system/activation-scripts.nix | 4 ++--
 pkgs/darwin-installer/default.nix     | 5 ++++-
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/modules/system/activation-scripts.nix b/modules/system/activation-scripts.nix
index 25d84ec..1b99e4c 100644
--- a/modules/system/activation-scripts.nix
+++ b/modules/system/activation-scripts.nix
@@ -40,7 +40,7 @@ in
       #! ${stdenv.shell}
       set -e
       set -o pipefail
-      export PATH=${pkgs.coreutils}/bin:@out@/sw/bin:${config.environment.systemPath}
+      export PATH="${pkgs.gnugrep}/bin:${pkgs.coreutils}/bin:@out@/sw/bin:/usr/bin:/bin"
 
       systemConfig=@out@
 
@@ -83,7 +83,7 @@ in
       #! ${stdenv.shell}
       set -e
       set -o pipefail
-      export PATH=${pkgs.coreutils}/bin:@out@/sw/bin:${config.environment.systemPath}
+      export PATH="${pkgs.gnugrep}/bin:${pkgs.coreutils}/bin:@out@/sw/bin:/usr/bin:/bin"
 
       systemConfig=@out@
 
diff --git a/pkgs/darwin-installer/default.nix b/pkgs/darwin-installer/default.nix
index 8112371..70b4615 100644
--- a/pkgs/darwin-installer/default.nix
+++ b/pkgs/darwin-installer/default.nix
@@ -24,6 +24,9 @@ stdenv.mkDerivation {
   shellHook = ''
     set -e
 
+    orig_path="$PATH"
+    export PATH="${pkgs.openssh}/bin"  # In case nix needs it
+
     action=switch
     while [ "$#" -gt 0 ]; do
         i="$1"; shift 1
@@ -58,7 +61,7 @@ stdenv.mkDerivation {
         read -p "Would you like edit the default configuration.nix before starting? [y/n] " i
         case "$i" in
             y|Y)
-                ''${EDITOR:-nano} "$config"
+                PATH="$orig_path" ''${EDITOR:-nano} "$config"
                 ;;
         esac
     fi

From 45f0e832cd894c88996d97a231099630db0f780a Mon Sep 17 00:00:00 2001
From: Kirill Elagin <kirelagin@gmail.com>
Date: Fri, 29 Jun 2018 19:05:57 +0300
Subject: [PATCH 2/2] fixup! installer and activation: Sanitise PATH

---
 pkgs/darwin-installer/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkgs/darwin-installer/default.nix b/pkgs/darwin-installer/default.nix
index 70b4615..169509c 100644
--- a/pkgs/darwin-installer/default.nix
+++ b/pkgs/darwin-installer/default.nix
@@ -25,7 +25,7 @@ stdenv.mkDerivation {
     set -e
 
     orig_path="$PATH"
-    export PATH="${pkgs.openssh}/bin"  # In case nix needs it
+    export PATH="${pkgs.openssh}/bin:/usr/bin:/bin"  # ssh in case nix needs it
 
     action=switch
     while [ "$#" -gt 0 ]; do