aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--src/libstore/daemon.cc13
-rw-r--r--src/libstore/globals.hh34
-rw-r--r--src/nix/daemon.cc41
3 files changed, 52 insertions, 36 deletions
diff --git a/src/libstore/daemon.cc b/src/libstore/daemon.cc
index d1f69fe2d..5e6fd011f 100644
--- a/src/libstore/daemon.cc
+++ b/src/libstore/daemon.cc
@@ -529,7 +529,14 @@ static void performOp(TunnelLogger * logger, ref<Store> store,
mode = (BuildMode) readInt(from);
/* Repairing is not atomic, so disallowed for "untrusted"
- clients. */
+ clients.
+
+ FIXME: layer violation in this message: the daemon code (i.e.
+ this file) knows whether a client/connection is trusted, but it
+ does not how how the client was authenticated. The mechanism
+ need not be getting the UID of the other end of a Unix Domain
+ Socket.
+ */
if (mode == bmRepair && !trusted)
throw Error("repairing is not allowed because you are not in 'trusted-users'");
}
@@ -546,7 +553,9 @@ static void performOp(TunnelLogger * logger, ref<Store> store,
mode = (BuildMode) readInt(from);
/* Repairing is not atomic, so disallowed for "untrusted"
- clients. */
+ clients.
+
+ FIXME: layer violation; see above. */
if (mode == bmRepair && !trusted)
throw Error("repairing is not allowed because you are not in 'trusted-users'");
diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh
index c3ccb5e11..42981219d 100644
--- a/src/libstore/globals.hh
+++ b/src/libstore/globals.hh
@@ -279,8 +279,8 @@ public:
If the build users group is empty, builds will be performed under
the uid of the Nix process (that is, the uid of the caller if
`NIX_REMOTE` is empty, the uid under which the Nix daemon runs if
- `NIX_REMOTE` is `daemon`). Obviously, this should not be used in
- multi-user settings with untrusted users.
+ `NIX_REMOTE` is `daemon`). Obviously, this should not be used
+ with a nix daemon accessible to untrusted clients.
Defaults to `nixbld` when running as root, *empty* otherwise.
)",
@@ -696,24 +696,6 @@ public:
)",
{"trusted-binary-caches"}};
- Setting<Strings> trustedUsers{
- this, {"root"}, "trusted-users",
- R"(
- A list of names of users (separated by whitespace) that have
- additional rights when connecting to the Nix daemon, such as the
- ability to specify additional binary caches, or to import unsigned
- NARs. You can also specify groups by prefixing them with `@`; for
- instance, `@wheel` means all users in the `wheel` group. The default
- is `root`.
-
- > **Warning**
- >
- > Adding a user to `trusted-users` is essentially equivalent to
- > giving that user root access to the system. For example, the user
- > can set `sandbox-paths` and thereby obtain read access to
- > directories that are otherwise inacessible to them.
- )"};
-
Setting<unsigned int> ttlNegativeNarInfoCache{
this, 3600, "narinfo-cache-negative-ttl",
R"(
@@ -736,18 +718,6 @@ public:
mismatch if the build isn't reproducible.
)"};
- /* ?Who we trust to use the daemon in safe ways */
- Setting<Strings> allowedUsers{
- this, {"*"}, "allowed-users",
- R"(
- A list of names of users (separated by whitespace) that are allowed
- to connect to the Nix daemon. As with the `trusted-users` option,
- you can specify groups by prefixing them with `@`. Also, you can
- allow all users by specifying `*`. The default is `*`.
-
- Note that trusted users are always allowed to connect.
- )"};
-
Setting<bool> printMissing{this, true, "print-missing",
"Whether to print what paths need to be built or downloaded."};
diff --git a/src/nix/daemon.cc b/src/nix/daemon.cc
index 96568fb8f..2ba56ee26 100644
--- a/src/nix/daemon.cc
+++ b/src/nix/daemon.cc
@@ -34,6 +34,43 @@
using namespace nix;
using namespace nix::daemon;
+struct UserSettings : Config {
+
+ Setting<Strings> trustedUsers{
+ this, {"root"}, "trusted-users",
+ R"(
+ A list of names of users (separated by whitespace) that have
+ additional rights when connecting to the Nix daemon, such as the
+ ability to specify additional binary caches, or to import unsigned
+ NARs. You can also specify groups by prefixing them with `@`; for
+ instance, `@wheel` means all users in the `wheel` group. The default
+ is `root`.
+
+ > **Warning**
+ >
+ > Adding a user to `trusted-users` is essentially equivalent to
+ > giving that user root access to the system. For example, the user
+ > can set `sandbox-paths` and thereby obtain read access to
+ > directories that are otherwise inacessible to them.
+ )"};
+
+ /* ?Who we trust to use the daemon in safe ways */
+ Setting<Strings> allowedUsers{
+ this, {"*"}, "allowed-users",
+ R"(
+ A list of names of users (separated by whitespace) that are allowed
+ to connect to the Nix daemon. As with the `trusted-users` option,
+ you can specify groups by prefixing them with `@`. Also, you can
+ allow all users by specifying `*`. The default is `*`.
+
+ Note that trusted users are always allowed to connect.
+ )"};
+};
+
+UserSettings userSettings;
+
+static GlobalConfig::Register rSettings(&userSettings);
+
#ifndef __linux__
#define SPLICE_F_MOVE 0
static ssize_t splice(int fd_in, void *off_in, int fd_out, void *off_out, size_t len, unsigned int flags)
@@ -203,8 +240,8 @@ static void daemonLoop()
struct group * gr = peer.gidKnown ? getgrgid(peer.gid) : 0;
std::string group = gr ? gr->gr_name : std::to_string(peer.gid);
- Strings trustedUsers = settings.trustedUsers;
- Strings allowedUsers = settings.allowedUsers;
+ Strings trustedUsers = userSettings.trustedUsers;
+ Strings allowedUsers = userSettings.allowedUsers;
if (matchUser(user, group, trustedUsers))
trusted = Trusted;