aboutsummaryrefslogtreecommitdiff
path: root/doc/manual
diff options
context:
space:
mode:
authorEelco Dolstra <eelco.dolstra@logicblox.com>2014-07-17 16:57:07 +0200
committerEelco Dolstra <eelco.dolstra@logicblox.com>2014-07-17 16:57:07 +0200
commit049c0eb49c621ae50f49c8a06dc6c3a9839ef388 (patch)
tree63c0f299510adda0e21c7d323917eefcd5e1f6ce /doc/manual
parent0c730887c4ec4a03fb854490e422c134a1bf8139 (diff)
nix-daemon: Add trusted-users and allowed-users options
‘trusted-users’ is a list of users and groups that have elevated rights, such as the ability to specify binary caches. It defaults to ‘root’. A typical value would be ‘@wheel’ to specify all users in the wheel group. ‘allowed-users’ is a list of users and groups that are allowed to connect to the daemon. It defaults to ‘*’. A typical value would be ‘@users’ to specify the ‘users’ group.
Diffstat (limited to 'doc/manual')
-rw-r--r--doc/manual/conf-file.xml42
1 files changed, 42 insertions, 0 deletions
diff --git a/doc/manual/conf-file.xml b/doc/manual/conf-file.xml
index 29f7f9c51..6af4c7765 100644
--- a/doc/manual/conf-file.xml
+++ b/doc/manual/conf-file.xml
@@ -479,6 +479,48 @@ flag, e.g. <literal>--option gc-keep-outputs false</literal>.</para>
</varlistentry>
+ <varlistentry xml:id="conf-trusted-users"><term><literal>trusted-users</literal></term>
+
+ <listitem>
+
+ <para>A list of names of users (separated by whitespace) that
+ have additional rights when connecting to the Nix daemon, such
+ as the ability to specify additional binary caches, or to import
+ unsigned NARs. You can also specify groups by prefixing them
+ with <literal>@</literal>; for instance,
+ <literal>@wheel</literal> means all users in the
+ <literal>wheel</literal> group. The default is
+ <literal>root</literal>.</para>
+
+ <warning><para>The users listed here have the ability to
+ compromise the security of a multi-user Nix store. For instance,
+ they could install Trojan horses subsequently executed by other
+ users. So you should consider carefully whether to add users to
+ this list.</para></warning>
+
+ </listitem>
+
+ </varlistentry>
+
+
+ <varlistentry xml:id="conf-allowed-users"><term><literal>allowed-users</literal></term>
+
+ <listitem>
+
+ <para>A list of names of users (separated by whitespace) that
+ are allowed to connect to the Nix daemon. As with the
+ <option>trusted-users</option> option, you can specify groups by
+ prefixing them with <literal>@</literal>. Also, you can allow
+ all users by specifying <literal>*</literal>. The default is
+ <literal>*</literal>.</para>
+
+ <para>Note that trusted users are always allowed to connect.</para>
+
+ </listitem>
+
+ </varlistentry>
+
+
</variablelist>
</para>