aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRobert Hensing <roberth@users.noreply.github.com>2023-06-23 13:08:46 +0200
committerGitHub <noreply@github.com>2023-06-23 13:08:46 +0200
commitfd4f03b8fdcb0f33552730c786139019e29f5dbe (patch)
tree8a7f222bf7936ddd29bcd2cba6b18568858ac165
parent8350f06d6c319b250d006b195415b9b6e95d8ca1 (diff)
parente91d19db5f827cec56e32fe9b7c07c8d2c546ce6 (diff)
Merge pull request #8519 from fricklerhandwerk/reword-trusted-users
reword documentation on trusted users and substituters
-rw-r--r--src/libstore/globals.hh14
-rw-r--r--src/nix/daemon.cc31
2 files changed, 22 insertions, 23 deletions
diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh
index b8dcf1f76..ec8625020 100644
--- a/src/libstore/globals.hh
+++ b/src/libstore/globals.hh
@@ -700,8 +700,8 @@ public:
At least one of the following conditions must be met for Nix to use a substituter:
- - the substituter is in the [`trusted-substituters`](#conf-trusted-substituters) list
- - the user calling Nix is in the [`trusted-users`](#conf-trusted-users) list
+ - The substituter is in the [`trusted-substituters`](#conf-trusted-substituters) list
+ - The user calling Nix is in the [`trusted-users`](#conf-trusted-users) list
In addition, each store path should be trusted as described in [`trusted-public-keys`](#conf-trusted-public-keys)
)",
@@ -710,12 +710,10 @@ public:
Setting<StringSet> trustedSubstituters{
this, {}, "trusted-substituters",
R"(
- A list of [URLs of Nix stores](@docroot@/command-ref/new-cli/nix3-help-stores.md#store-url-format),
- separated by whitespace. These are
- not used by default, but can be enabled by users of the Nix daemon
- by specifying `--option substituters urls` on the command
- line. Unprivileged users are only allowed to pass a subset of the
- URLs listed in `substituters` and `trusted-substituters`.
+ A list of [Nix store URLs](@docroot@/command-ref/new-cli/nix3-help-stores.md#store-url-format), separated by whitespace.
+ These are not used by default, but users of the Nix daemon can enable them by specifying [`substituters`](#conf-substituters).
+
+ Unprivileged users (those set in only [`allowed-users`](#conf-allowed-users) but not [`trusted-users`](#conf-trusted-users)) can pass as `substituters` only those URLs listed in `trusted-substituters`.
)",
{"trusted-binary-caches"}};
diff --git a/src/nix/daemon.cc b/src/nix/daemon.cc
index 8e2bcf7e1..1511f9e6e 100644
--- a/src/nix/daemon.cc
+++ b/src/nix/daemon.cc
@@ -56,19 +56,16 @@ struct AuthorizationSettings : Config {
Setting<Strings> trustedUsers{
this, {"root"}, "trusted-users",
R"(
- A list of names of users (separated by whitespace) that have
- additional rights when connecting to the Nix daemon, such as the
- ability to specify additional binary caches, or to import unsigned
- NARs. You can also specify groups by prefixing them with `@`; for
- instance, `@wheel` means all users in the `wheel` group. The default
- is `root`.
+ A list of user names, separated by whitespace.
+ These users will have additional rights when connecting to the Nix daemon, such as the ability to specify additional [substituters](#conf-substituters), or to import unsigned [NARs](@docroot@/glossary.md#gloss-nar).
+
+ You can also specify groups by prefixing names with `@`.
+ For instance, `@wheel` means all users in the `wheel` group.
> **Warning**
>
- > Adding a user to `trusted-users` is essentially equivalent to
- > giving that user root access to the system. For example, the user
- > can set `sandbox-paths` and thereby obtain read access to
- > directories that are otherwise inacessible to them.
+ > Adding a user to `trusted-users` is essentially equivalent to giving that user root access to the system.
+ > For example, the user can access or replace store path contents that are critical for system security.
)"};
/**
@@ -77,12 +74,16 @@ struct AuthorizationSettings : Config {
Setting<Strings> allowedUsers{
this, {"*"}, "allowed-users",
R"(
- A list of names of users (separated by whitespace) that are allowed
- to connect to the Nix daemon. As with the `trusted-users` option,
- you can specify groups by prefixing them with `@`. Also, you can
- allow all users by specifying `*`. The default is `*`.
+ A list user names, separated by whitespace.
+ These users are allowed to connect to the Nix daemon.
+
+ You can specify groups by prefixing names with `@`.
+ For instance, `@wheel` means all users in the `wheel` group.
+ Also, you can allow all users by specifying `*`.
- Note that trusted users are always allowed to connect.
+ > **Note**
+ >
+ > Trusted users (set in [`trusted-users`](#conf-trusted-users)) can always connect to the Nix daemon.
)"};
};