installer and activation: Sanitise PATH

This makes sure that the installation and activation processes are “pure”,
i.e. they use only binaries from nixpkgs or ones that come with macOS.

Closes #86.

2 files changed, 6 insertions, 3 deletions

diff --git a/modules/system/activation-scripts.nix b/modules/system/activation-scripts.nix
index 25d84ec..1b99e4c 100644
--- a/modules/system/activation-scripts.nix
+++ b/modules/system/activation-scripts.nix
@@ -40,7 +40,7 @@ in
       #! ${stdenv.shell}
       set -e
       set -o pipefail
-      export PATH=${pkgs.coreutils}/bin:@out@/sw/bin:${config.environment.systemPath}
+      export PATH="${pkgs.gnugrep}/bin:${pkgs.coreutils}/bin:@out@/sw/bin:/usr/bin:/bin"
 
       systemConfig=@out@
 
@@ -83,7 +83,7 @@ in
       #! ${stdenv.shell}
       set -e
       set -o pipefail
-      export PATH=${pkgs.coreutils}/bin:@out@/sw/bin:${config.environment.systemPath}
+      export PATH="${pkgs.gnugrep}/bin:${pkgs.coreutils}/bin:@out@/sw/bin:/usr/bin:/bin"
 
       systemConfig=@out@
 
diff --git a/pkgs/darwin-installer/default.nix b/pkgs/darwin-installer/default.nix
index 8112371..70b4615 100644
--- a/pkgs/darwin-installer/default.nix
+++ b/pkgs/darwin-installer/default.nix
@@ -24,6 +24,9 @@ stdenv.mkDerivation {
   shellHook = ''
     set -e
 
+    orig_path="$PATH"
+    export PATH="${pkgs.openssh}/bin"  # In case nix needs it
+
     action=switch
     while [ "$#" -gt 0 ]; do
         i="$1"; shift 1
@@ -58,7 +61,7 @@ stdenv.mkDerivation {
         read -p "Would you like edit the default configuration.nix before starting? [y/n] " i
         case "$i" in
             y|Y)
-                ''${EDITOR:-nano} "$config"
+                PATH="$orig_path" ''${EDITOR:-nano} "$config"
                 ;;
         esac
     fi