diff options
| author | Jade Lovelace <lix@jade.fyi> | 2024-06-10 19:55:40 -0700 |
|---|---|---|
| committer | Jade Lovelace <lix@jade.fyi> | 2024-06-12 15:34:23 -0700 |
| commit | 5f6eb6eb446d911228e830f45edb8ced8413bb58 (patch) | |
| tree | 5f62581234bde47f9525da70950724526818392e /src/libstore/globals.hh | |
| parent | d9345d8836d295a205eab19ce9e969bcc9a35b42 (diff) | |
doc: rewrite the multi-user documentation to actually talk about security
It's in the security section, and it was totally outdated anyway.
I took the opportunity to write down the stuff we already believed.
Change-Id: I73e62ae85a82dad13ef846e31f377c3efce13cb0
Diffstat (limited to 'src/libstore/globals.hh')
| -rw-r--r-- | src/libstore/globals.hh | 13 |
1 files changed, 10 insertions, 3 deletions
diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh index ab33efe8a..947a2fbf0 100644 --- a/src/libstore/globals.hh +++ b/src/libstore/globals.hh @@ -331,7 +331,7 @@ public: performed by the Lix account since that would allow users to arbitrarily modify the Nix store and database by supplying specially crafted builders; and they cannot be performed by the calling user - since that would allow him/her to influence the build result. + since that would allow them to influence the build result. Therefore, if this option is non-empty and specifies a valid group, builds will be performed under the user accounts that are a member @@ -352,10 +352,17 @@ public: If the build users group is empty, builds will be performed under the uid of the Lix process (that is, the uid of the caller if - `NIX_REMOTE` is empty, the uid under which the Nix daemon runs if - `NIX_REMOTE` is `daemon`). Obviously, this should not be used + both `NIX_REMOTE` is either empty or `auto` and the Nix store is + owned by that user, or, alternatively, the uid under which the Nix + daemon runs if `NIX_REMOTE` is `daemon` or if it is `auto` and the + store is not owned by the caller). Obviously, this should not be used with a nix daemon accessible to untrusted clients. + For the avoidance of doubt, explicitly setting this to *empty* with a + Lix daemon running as root means that builds will be executed as root + with respect to the rest of the system. + We intend to fix this: https://git.lix.systems/lix-project/lix/issues/242 + Defaults to `nixbld` when running as root, *empty* otherwise. )", {}, false}; |