* Configuration options for trusted local builds.

3 files changed, 43 insertions, 5 deletions

diff --git a/nix.conf.example b/nix.conf.example
index fcdf6fccd..e2735d180 100644
--- a/nix.conf.example
+++ b/nix.conf.example
@@ -47,3 +47,34 @@ gc-keep-derivations = true
 # while this option was enabled, while `gc-keep-derivations' only
 # applies at the moment the garbage collector is run.
 env-keep-derivations = false
+
+
+### Option `build-allow-root'
+#
+# This option controls Nix's behaviour when it is invoked under the
+# `root' user (or setuid-root).  If `true' (default), builds are
+# performed under the `root' user.  If `false', builds are performed
+# under one of the users listed in the `build-users' option (see
+# below).
+build-allow-root = true
+
+
+### Option `build-users'
+#
+# This option is only applicable if `build-allow-root' is `false' and
+# Nix is invoked under the `root' user (or setuid-root).  It contains
+# a list of user names under which Nix can execute builds.  Builds
+# cannot be performed by root since that would allow users to take
+# over the system by supplying specially crafted builders; and they
+# cannot be performed by the calling user since that would allow
+# him/her to influence the build result.
+#
+# Thus this list should contain a number of `special' user accounts
+# created specifically for Nix, e.g., `nix-builder-1',
+# `nix-builder-2', and so on.  The more users the better, since at
+# most a number of builds equal to the number of build users can be
+# started.
+#
+# Example:
+#   build-users = nix-builder-1 nix-builder-2 nix-builder-3
+build-users =
diff --git a/src/libstore/globals.cc b/src/libstore/globals.cc
index 4387c8acc..8cbae54e2 100644
--- a/src/libstore/globals.cc
+++ b/src/libstore/globals.cc
@@ -11,16 +11,13 @@ string nixDBPath = "/UNINIT";
 string nixConfDir = "/UNINIT";
 
 bool keepFailed = false;
-
 bool keepGoing = false;
-
 bool tryFallback = false;
-
 Verbosity buildVerbosity = lvlInfo;
-
 unsigned int maxBuildJobs = 1;
-
 bool readOnlyMode = false;
+bool buildAllowRoot = true;
+list<string> buildUsers;
 
 
 static bool settingsRead = false;
diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh
index e2ae2ed65..327b1bbc3 100644
--- a/src/libstore/globals.hh
+++ b/src/libstore/globals.hh
@@ -2,6 +2,7 @@
 #define __GLOBALS_H
 
 #include <string>
+#include <set>
 #include "util.hh"
 
 using namespace std;
@@ -52,6 +53,15 @@ extern unsigned int maxBuildJobs;
    database. */
 extern bool readOnlyMode;
 
+/* Whether to allow builds by root.  Corresponds to the
+   `build-allow-root' configuration option. */
+extern bool buildAllowRoot;
+
+/* The list of users under which root-initiated builds can be
+   performed.  Correspons to the `build-users' configuration
+   option. */
+extern list<string> buildUsers;
+
 
 string querySetting(const string & name, const string & def);