5 files changed, 28 insertions, 9 deletions

diff --git a/src/libexpr/eval-settings.hh b/src/libexpr/eval-settings.hh
index 64c74c4b9..6282579a9 100644
--- a/src/libexpr/eval-settings.hh
+++ b/src/libexpr/eval-settings.hh
@@ -64,7 +64,7 @@ struct EvalSettings : Config
           Pure evaluation mode ensures that the result of Nix expressions is fully determined by explicitly declared inputs, and not influenced by external state:
 
           - Restrict file system and network access to files specified by cryptographic hash
-          - Disable [`bultins.currentSystem`](@docroot@/language/builtin-constants.md#builtins-currentSystem) and [`builtins.currentTime`](@docroot@/language/builtin-constants.md#builtins-currentTime)
+          - Disable [`builtins.currentSystem`](@docroot@/language/builtin-constants.md#builtins-currentSystem) and [`builtins.currentTime`](@docroot@/language/builtin-constants.md#builtins-currentTime)
         )"
         };
 
diff --git a/src/libfetchers/fetch-settings.hh b/src/libfetchers/fetch-settings.hh
index 2dc2834fb..6fb260c3a 100644
--- a/src/libfetchers/fetch-settings.hh
+++ b/src/libfetchers/fetch-settings.hh
@@ -87,7 +87,17 @@ struct FetchSettings : public Config
         {}, true, Xp::Flakes};
 
     Setting<bool> acceptFlakeConfig{this, false, "accept-flake-config",
-        "Whether to accept nix configuration from a flake without prompting.",
+        R"(
+          Whether to accept Lix configuration from the `nixConfig` attribute of
+          a flake without prompting. This is almost always a very bad idea.
+
+          Setting this setting as a trusted user allows Nix flakes to gain root
+          access on your machine if they set one of the several
+          trusted-user-only settings that execute commands as root.
+
+          See [multi-user installations](@docroot@/installation/multi-user.md)
+          for more details on the Lix security model.
+        )",
         {}, true, Xp::Flakes};
 
     Setting<std::string> commitLockFileSummary{
diff --git a/src/libstore/derivations.hh b/src/libstore/derivations.hh
index 7309918ce..f83dde621 100644
--- a/src/libstore/derivations.hh
+++ b/src/libstore/derivations.hh
@@ -208,7 +208,7 @@ struct DerivationType {
     /**
      * Impure derivation type
      *
-     * This is similar at buil-time to the content addressed, not standboxed, not fixed
+     * This is similar at build-time to the content addressed, not sandboxed, not fixed
      * type, but has some restrictions on its usage.
      */
     struct Impure {
diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh
index ab33efe8a..947a2fbf0 100644
--- a/src/libstore/globals.hh
+++ b/src/libstore/globals.hh
@@ -331,7 +331,7 @@ public:
           performed by the Lix account since that would allow users to
           arbitrarily modify the Nix store and database by supplying specially
           crafted builders; and they cannot be performed by the calling user
-          since that would allow him/her to influence the build result.
+          since that would allow them to influence the build result.
 
           Therefore, if this option is non-empty and specifies a valid group,
           builds will be performed under the user accounts that are a member
@@ -352,10 +352,17 @@ public:
 
           If the build users group is empty, builds will be performed under
           the uid of the Lix process (that is, the uid of the caller if
-          `NIX_REMOTE` is empty, the uid under which the Nix daemon runs if
-          `NIX_REMOTE` is `daemon`). Obviously, this should not be used
+          both `NIX_REMOTE` is either empty or `auto` and the Nix store is
+          owned by that user, or, alternatively, the uid under which the Nix
+          daemon runs if `NIX_REMOTE` is `daemon` or if it is `auto` and the
+          store is not owned by the caller). Obviously, this should not be used
           with a nix daemon accessible to untrusted clients.
 
+          For the avoidance of doubt, explicitly setting this to *empty* with a
+          Lix daemon running as root means that builds will be executed as root
+          with respect to the rest of the system.
+          We intend to fix this: https://git.lix.systems/lix-project/lix/issues/242
+
           Defaults to `nixbld` when running as root, *empty* otherwise.
         )",
         {}, false};
diff --git a/src/nix/flake.md b/src/nix/flake.md
index 9188bca74..8f0163717 100644
--- a/src/nix/flake.md
+++ b/src/nix/flake.md
@@ -394,15 +394,17 @@ The following attributes are supported in `flake.nix`:
   value (e.g. `packages.x86_64-linux` must be an attribute set of
   derivations built for the `x86_64-linux` platform).
 
-* `nixConfig`: a set of `nix.conf` options to be set when evaluating any
-  part of a flake. In the interests of security, only a small set of
-  set of options is allowed to be set without confirmation so long as [`accept-flake-config`](@docroot@/command-ref/conf-file.md#conf-accept-flake-config) is not enabled in the global configuration:
+* `nixConfig`: a set of `nix.conf` options to be set when evaluating any part of a flake.
+  This attribute is only considered if the flake is at top-level (i.e. if it is passed directly to `nix build`, `nix run`, etc, rather than as an input of another flake).
+  In the interests of security, only a small set of set of options is allowed to be set without confirmation so long as [`accept-flake-config`](@docroot@/command-ref/conf-file.md#conf-accept-flake-config) is not enabled in the global configuration:
    - [`bash-prompt`](@docroot@/command-ref/conf-file.md#conf-bash-prompt)
    - [`bash-prompt-prefix`](@docroot@/command-ref/conf-file.md#conf-bash-prompt-prefix)
    - [`bash-prompt-suffix`](@docroot@/command-ref/conf-file.md#conf-bash-prompt-suffix)
    - [`flake-registry`](@docroot@/command-ref/conf-file.md#conf-flake-registry)
    - [`commit-lockfile-summary`](@docroot@/command-ref/conf-file.md#conf-commit-lockfile-summary)
 
+  For the avoidance of doubt, setting `accept-flake-config` in `nix.conf` or passing `--accept-flake-config` *allows root access to your machine* if you are running as a trusted user and don't read `nixConfig` in every flake you build.
+
 ## Flake inputs
 
 The attribute `inputs` specifies the dependencies of a flake, as an