diff options
author | Eelco Dolstra <edolstra@gmail.com> | 2021-09-15 20:33:44 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-09-15 20:33:44 +0200 |
commit | 79152e307e7eef667c3de9c21571d017654a7c32 (patch) | |
tree | 67fd413bcf0b42c5ada7eddc41a04f7bd99df3a8 /doc/manual/installation/multi-user.xml | |
parent | 7349f257da8278af9aae35544b15c9a204e2a57b (diff) | |
parent | 3b82c1a5fef521ebadea5df12384390c8c24100c (diff) |
Merge pull request #5212 from mkenigs/auto-uid-allocation
Merge master into #3600
Diffstat (limited to 'doc/manual/installation/multi-user.xml')
-rw-r--r-- | doc/manual/installation/multi-user.xml | 107 |
1 files changed, 0 insertions, 107 deletions
diff --git a/doc/manual/installation/multi-user.xml b/doc/manual/installation/multi-user.xml deleted file mode 100644 index 69ae1ef27..000000000 --- a/doc/manual/installation/multi-user.xml +++ /dev/null @@ -1,107 +0,0 @@ -<section xmlns="http://docbook.org/ns/docbook" - xmlns:xlink="http://www.w3.org/1999/xlink" - xmlns:xi="http://www.w3.org/2001/XInclude" - version="5.0" - xml:id="ssec-multi-user"> - -<title>Multi-User Mode</title> - -<para>To allow a Nix store to be shared safely among multiple users, -it is important that users are not able to run builders that modify -the Nix store or database in arbitrary ways, or that interfere with -builds started by other users. If they could do so, they could -install a Trojan horse in some package and compromise the accounts of -other users.</para> - -<para>To prevent this, the Nix store and database are owned by some -privileged user (usually <literal>root</literal>) and builders are -executed under special user accounts (usually named -<literal>nixbld1</literal>, <literal>nixbld2</literal>, etc.). When a -unprivileged user runs a Nix command, actions that operate on the Nix -store (such as builds) are forwarded to a <emphasis>Nix -daemon</emphasis> running under the owner of the Nix store/database -that performs the operation.</para> - -<note><para>Multi-user mode has one important limitation: only -<systemitem class="username">root</systemitem> and a set of trusted -users specified in <filename>nix.conf</filename> can specify arbitrary -binary caches. So while unprivileged users may install packages from -arbitrary Nix expressions, they may not get pre-built -binaries.</para></note> - - -<simplesect> - -<title>Setting up the build users</title> - -<para>The <emphasis>build users</emphasis> are the special UIDs under -which builds are performed. They should all be members of the -<emphasis>build users group</emphasis> <literal>nixbld</literal>. -This group should have no other members. The build users should not -be members of any other group. On Linux, you can create the group and -users as follows: - -<screen> -$ groupadd -r nixbld -$ for n in $(seq 1 10); do useradd -c "Nix build user $n" \ - -d /var/empty -g nixbld -G nixbld -M -N -r -s "$(which nologin)" \ - nixbld$n; done -</screen> - -This creates 10 build users. There can never be more concurrent builds -than the number of build users, so you may want to increase this if -you expect to do many builds at the same time.</para> - -</simplesect> - - -<simplesect> - -<title>Running the daemon</title> - -<para>The <link linkend="sec-nix-daemon">Nix daemon</link> should be -started as follows (as <literal>root</literal>): - -<screen> -$ nix-daemon</screen> - -You’ll want to put that line somewhere in your system’s boot -scripts.</para> - -<para>To let unprivileged users use the daemon, they should set the -<link linkend="envar-remote"><envar>NIX_REMOTE</envar> environment -variable</link> to <literal>daemon</literal>. So you should put a -line like - -<programlisting> -export NIX_REMOTE=daemon</programlisting> - -into the users’ login scripts.</para> - -</simplesect> - - -<simplesect> - -<title>Restricting access</title> - -<para>To limit which users can perform Nix operations, you can use the -permissions on the directory -<filename>/nix/var/nix/daemon-socket</filename>. For instance, if you -want to restrict the use of Nix to the members of a group called -<literal>nix-users</literal>, do - -<screen> -$ chgrp nix-users /nix/var/nix/daemon-socket -$ chmod ug=rwx,o= /nix/var/nix/daemon-socket -</screen> - -This way, users who are not in the <literal>nix-users</literal> group -cannot connect to the Unix domain socket -<filename>/nix/var/nix/daemon-socket/socket</filename>, so they cannot -perform Nix operations.</para> - -</simplesect> - - -</section> |