From ce0c31a2e2f2ef93f498736ed0b937cdc1834eec Mon Sep 17 00:00:00 2001
From: Yorick van Pelt <yorick@yorickvanpelt.nl>
Date: Fri, 26 May 2023 15:32:28 +0200
Subject: [PATCH] create pathAccessible, use it to infer default dirs

---
 src/libexpr/eval.cc     | 15 +++++----------
 src/libstore/globals.cc |  4 +---
 src/libstore/globals.hh |  2 +-
 src/libutil/util.cc     | 11 +++++++++++
 src/libutil/util.hh     |  8 ++++++++
 5 files changed, 26 insertions(+), 14 deletions(-)

diff --git a/src/libexpr/eval.cc b/src/libexpr/eval.cc
index 18644e441156..9c1f5e80bde5 100644
--- a/src/libexpr/eval.cc
+++ b/src/libexpr/eval.cc
@@ -2525,17 +2525,12 @@ Strings EvalSettings::getDefaultNixPath()
 {
     Strings res;
     auto add = [&](const Path & p, const std::string & s = std::string()) {
-        try {
-            if (pathExists(p)) {
-                if (s.empty()) {
-                    res.push_back(p);
-                } else {
-                    res.push_back(s + "=" + p);
-                }
+        if (pathAccessible(p)) {
+            if (s.empty()) {
+                res.push_back(p);
+            } else {
+                res.push_back(s + "=" + p);
             }
-        } catch (SysError & e) {
-            // swallow EPERM
-            if (e.errNo != EPERM) throw;
         }
     };
 
diff --git a/src/libstore/globals.cc b/src/libstore/globals.cc
index a196c10e66de..32e9a6ea91f6 100644
--- a/src/libstore/globals.cc
+++ b/src/libstore/globals.cc
@@ -57,8 +57,6 @@ Settings::Settings()
     auto sslOverride = getEnv("NIX_SSL_CERT_FILE").value_or(getEnv("SSL_CERT_FILE").value_or(""));
     if (sslOverride != "")
         caFile = sslOverride;
-    else if (caFile == "")
-        caFile = getDefaultSSLCertFile();
 
     /* Backwards compatibility. */
     auto s = getEnv("NIX_REMOTE_SYSTEMS");
@@ -185,7 +183,7 @@ bool Settings::isWSL1()
 Path Settings::getDefaultSSLCertFile()
 {
     for (auto & fn : {"/etc/ssl/certs/ca-certificates.crt", "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"})
-        if (pathExists(fn)) return fn;
+        if (pathAccessible(fn)) return fn;
     return "";
 }
 
diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh
index 45e2fd378619..609cf53b8e34 100644
--- a/src/libstore/globals.hh
+++ b/src/libstore/globals.hh
@@ -833,7 +833,7 @@ public:
         )"};
 
     Setting<Path> caFile{
-        this, "", "ssl-cert-file",
+        this, getDefaultSSLCertFile(), "ssl-cert-file",
         R"(
           The path of a file containing CA certificates used to
           authenticate `https://` downloads. Nix by default will use
diff --git a/src/libutil/util.cc b/src/libutil/util.cc
index 21d1c8dcd4f1..1f2e2d1f80fc 100644
--- a/src/libutil/util.cc
+++ b/src/libutil/util.cc
@@ -266,6 +266,17 @@ bool pathExists(const Path & path)
     return false;
 }
 
+bool pathAccessible(const Path & path)
+{
+    try {
+        return pathExists(path);
+    } catch (SysError & e) {
+        // swallow EPERM
+        if (e.errNo == EPERM) return false;
+        throw;
+    }
+}
+
 
 Path readLink(const Path & path)
 {
diff --git a/src/libutil/util.hh b/src/libutil/util.hh
index 040fed68f337..9f2a63aacc91 100644
--- a/src/libutil/util.hh
+++ b/src/libutil/util.hh
@@ -120,6 +120,14 @@ struct stat lstat(const Path & path);
  */
 bool pathExists(const Path & path);
 
+/**
+ * A version of pathExists that returns false on a permission error.
+ * Useful for inferring default paths across directories that might not
+ * be readable.
+ * @return true iff the given path can be accessed and exists
+ */
+bool pathAccessible(const Path & path);
+
 /**
  * Read the contents (target) of a symbolic link.  The result is not
  * in any way canonicalised.