2014-08-27 18:41:09 +02:00
|
|
|
|
<section xmlns="http://docbook.org/ns/docbook"
|
|
|
|
|
xmlns:xlink="http://www.w3.org/1999/xlink"
|
|
|
|
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
|
|
|
version="5.0"
|
|
|
|
|
xml:id="ssec-multi-user">
|
|
|
|
|
|
|
|
|
|
<title>Multi-User Mode</title>
|
|
|
|
|
|
|
|
|
|
<para>To allow a Nix store to be shared safely among multiple users,
|
|
|
|
|
it is important that users are not able to run builders that modify
|
|
|
|
|
the Nix store or database in arbitrary ways, or that interfere with
|
|
|
|
|
builds started by other users. If they could do so, they could
|
|
|
|
|
install a Trojan horse in some package and compromise the accounts of
|
|
|
|
|
other users.</para>
|
|
|
|
|
|
|
|
|
|
<para>To prevent this, the Nix store and database are owned by some
|
|
|
|
|
privileged user (usually <literal>root</literal>) and builders are
|
|
|
|
|
executed under special user accounts (usually named
|
|
|
|
|
<literal>nixbld1</literal>, <literal>nixbld2</literal>, etc.). When a
|
|
|
|
|
unprivileged user runs a Nix command, actions that operate on the Nix
|
|
|
|
|
store (such as builds) are forwarded to a <emphasis>Nix
|
|
|
|
|
daemon</emphasis> running under the owner of the Nix store/database
|
|
|
|
|
that performs the operation.</para>
|
|
|
|
|
|
2014-09-16 14:14:09 +02:00
|
|
|
|
<note><para>Multi-user mode has one important limitation: only
|
2014-12-13 23:16:08 +01:00
|
|
|
|
<systemitem class="username">root</systemitem> and a set of trusted
|
|
|
|
|
users specified in <filename>nix.conf</filename> can specify arbitrary
|
|
|
|
|
binary caches. So while unprivileged users may install packages from
|
|
|
|
|
arbitrary Nix expressions, they may not get pre-built
|
|
|
|
|
binaries.</para></note>
|
2014-08-27 18:41:09 +02:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<simplesect>
|
|
|
|
|
|
|
|
|
|
<title>Setting up the build users</title>
|
|
|
|
|
|
|
|
|
|
<para>The <emphasis>build users</emphasis> are the special UIDs under
|
|
|
|
|
which builds are performed. They should all be members of the
|
|
|
|
|
<emphasis>build users group</emphasis> <literal>nixbld</literal>.
|
|
|
|
|
This group should have no other members. The build users should not
|
|
|
|
|
be members of any other group. On Linux, you can create the group and
|
|
|
|
|
users as follows:
|
|
|
|
|
|
|
|
|
|
<screen>
|
|
|
|
|
$ groupadd -r nixbld
|
|
|
|
|
$ for n in $(seq 1 10); do useradd -c "Nix build user $n" \
|
|
|
|
|
-d /var/empty -g nixbld -G nixbld -M -N -r -s "$(which nologin)" \
|
|
|
|
|
nixbld$n; done
|
|
|
|
|
</screen>
|
|
|
|
|
|
|
|
|
|
This creates 10 build users. There can never be more concurrent builds
|
|
|
|
|
than the number of build users, so you may want to increase this if
|
|
|
|
|
you expect to do many builds at the same time.</para>
|
|
|
|
|
|
2017-07-30 12:26:17 +02:00
|
|
|
|
<para>On macOS, you can create the required group and users by
|
2015-01-06 11:17:11 +01:00
|
|
|
|
running the following script:
|
|
|
|
|
|
|
|
|
|
<programlisting>
|
|
|
|
|
#! /bin/bash -e
|
|
|
|
|
|
|
|
|
|
dseditgroup -o create nixbld -q
|
|
|
|
|
|
|
|
|
|
gid=$(dscl . -read /Groups/nixbld | awk '($1 == "PrimaryGroupID:") {print $2 }')
|
|
|
|
|
|
|
|
|
|
echo "created nixbld group with gid $gid"
|
|
|
|
|
|
|
|
|
|
for i in $(seq 1 10); do
|
|
|
|
|
user=/Users/nixbld$i
|
|
|
|
|
uid="$((30000 + $i))"
|
|
|
|
|
dscl . create $user
|
|
|
|
|
dscl . create $user RealName "Nix build user $i"
|
|
|
|
|
dscl . create $user PrimaryGroupID "$gid"
|
|
|
|
|
dscl . create $user UserShell /usr/bin/false
|
|
|
|
|
dscl . create $user NFSHomeDirectory /var/empty
|
|
|
|
|
dscl . create $user UniqueID "$uid"
|
|
|
|
|
dseditgroup -o edit -a nixbld$i -t user nixbld
|
|
|
|
|
echo "created nixbld$i user with uid $uid"
|
|
|
|
|
done
|
|
|
|
|
</programlisting>
|
|
|
|
|
|
|
|
|
|
</para>
|
|
|
|
|
|
2014-08-27 18:41:09 +02:00
|
|
|
|
</simplesect>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<simplesect>
|
|
|
|
|
|
|
|
|
|
<title>Running the daemon</title>
|
|
|
|
|
|
|
|
|
|
<para>The <link linkend="sec-nix-daemon">Nix daemon</link> should be
|
|
|
|
|
started as follows (as <literal>root</literal>):
|
|
|
|
|
|
|
|
|
|
<screen>
|
|
|
|
|
$ nix-daemon</screen>
|
|
|
|
|
|
|
|
|
|
You’ll want to put that line somewhere in your system’s boot
|
|
|
|
|
scripts.</para>
|
|
|
|
|
|
|
|
|
|
<para>To let unprivileged users use the daemon, they should set the
|
|
|
|
|
<link linkend="envar-remote"><envar>NIX_REMOTE</envar> environment
|
|
|
|
|
variable</link> to <literal>daemon</literal>. So you should put a
|
|
|
|
|
line like
|
|
|
|
|
|
|
|
|
|
<programlisting>
|
|
|
|
|
export NIX_REMOTE=daemon</programlisting>
|
|
|
|
|
|
|
|
|
|
into the users’ login scripts.</para>
|
|
|
|
|
|
|
|
|
|
</simplesect>
|
|
|
|
|
|
2014-09-16 14:14:09 +02:00
|
|
|
|
|
2014-08-27 18:41:09 +02:00
|
|
|
|
<simplesect>
|
|
|
|
|
|
|
|
|
|
<title>Restricting access</title>
|
|
|
|
|
|
|
|
|
|
<para>To limit which users can perform Nix operations, you can use the
|
|
|
|
|
permissions on the directory
|
|
|
|
|
<filename>/nix/var/nix/daemon-socket</filename>. For instance, if you
|
|
|
|
|
want to restrict the use of Nix to the members of a group called
|
|
|
|
|
<literal>nix-users</literal>, do
|
|
|
|
|
|
|
|
|
|
<screen>
|
|
|
|
|
$ chgrp nix-users /nix/var/nix/daemon-socket
|
|
|
|
|
$ chmod ug=rwx,o= /nix/var/nix/daemon-socket
|
|
|
|
|
</screen>
|
|
|
|
|
|
|
|
|
|
This way, users who are not in the <literal>nix-users</literal> group
|
|
|
|
|
cannot connect to the Unix domain socket
|
|
|
|
|
<filename>/nix/var/nix/daemon-socket/socket</filename>, so they cannot
|
|
|
|
|
perform Nix operations.</para>
|
|
|
|
|
|
|
|
|
|
</simplesect>
|
|
|
|
|
|
|
|
|
|
|
2014-09-16 14:14:09 +02:00
|
|
|
|
</section>
|