* Create the Nix daemon socket in a separate directory

  (/nix/var/nix/daemon-socket).  This allows access to the Nix daemon
  to be restricted by setting the mode/ownership on that directory as
  desired, e.g.

    $ chmod 770 /nix/var/nix/daemon-socket
    $ chown root.wheel /nix/var/nix/daemon-socket

  to allow only users in the wheel group to use Nix.

  Setting the ownership on a socket is much trickier, since the socket
  must be deleted and recreated every time the daemon is started
  (which would require additional Nix configuration file directives to
  specify the mode/ownership, and wouldn't support arbitrary ACLs),
  some BSD variants appear to ignore permissions on sockets, and it's
  not clear whether the umask is respected on every platform when
  creating sockets.

1 files changed, 4 insertions, 1 deletions

diff --git a/src/nix-worker/nix-worker.cc b/src/nix-worker/nix-worker.cc
index 6ddf01bd0..b9d5b1e26 100644
--- a/src/nix-worker/nix-worker.cc
+++ b/src/nix-worker/nix-worker.cc
@@ -517,6 +517,8 @@ static void daemonLoop()
 
     string socketPath = nixStateDir + DEFAULT_SOCKET_PATH;
 
+    createDirs(dirOf(socketPath));
+
     struct sockaddr_un addr;
     addr.sun_family = AF_UNIX;
     if (socketPath.size() >= sizeof(addr.sun_path))
@@ -526,7 +528,8 @@ static void daemonLoop()
     unlink(socketPath.c_str());
 
     /* Make sure that the socket is created with 0666 permission
-       (everybody can connect). */
+       (everybody can connect --- provided they have access to the
+       directory containing the socket). */
     mode_t oldMode = umask(0111);
     int res = bind(fdSocket, (struct sockaddr *) &addr, sizeof(addr));
     umask(oldMode);