From b05a596d61a5e062fc07380f8e6421fcfcb37f07 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Sun, 31 Oct 2004 17:08:48 +0000 Subject: * Document setuid Nix installs. --- doc/manual/installation.xml | 51 +++++++++++++++++++++++++++++++++++++++------ doc/manual/schemas.xml | 2 +- 2 files changed, 46 insertions(+), 7 deletions(-) diff --git a/doc/manual/installation.xml b/doc/manual/installation.xml index 14cd55b63..15463a9b6 100644 --- a/doc/manual/installation.xml +++ b/doc/manual/installation.xml @@ -63,7 +63,11 @@ are included in the Nix source distribution. If you build from the Subversion repository, you must download them yourself and place them in the externals/ directory. See externals/Makefile.am for the precise URLs of -these packages. +these packages. Alternatively, if you already have them installed, +you can use configure's +and options to point to their respective +locations. Note that Berkeley DB must be version +4.2; other versions may not have compatible database formats. @@ -91,8 +95,7 @@ $ autoreconf -i configure. The default installation directory is /nix. You can change this to any location you like. You must have write permission to the -prefix path. - +prefix path. It is advisable not to change the installation prefix from its default, since doing so will in all @@ -123,7 +126,7 @@ based on glibc 2.3 or later. rpm -U. For example, -rpm -U nix-0.5pre664-1.i386.rpm +$ rpm -U nix-0.5pre664-1.i386.rpm The RPMs install into the directory /nix. Nix can be uninstalled using rpm -e nix. After @@ -131,8 +134,8 @@ this it will be necessary to manually remove the Nix store and other auxiliary data: -rm -rf /nix/store -rm -rf /nix/var +$ rm -rf /nix/store +$ rm -rf /nix/var @@ -147,6 +150,42 @@ respectively). When installed from the RPM packages, these directories are owned by root. +Setuid installation + +As a somewhat ad hoc hack, you can also +install the Nix binaries setuid so that a Nix store can +be shared among several users. To do this, configure Nix with the +--enable-setuid option. Nix will be installed as +owned by a user and group specified by the + and + +options. E.g., + + +$ ./configure --enable-setuid --with-nix-user=my_nix_user --with-nix-group=my_nix_group + +The user and group default to nix. You should make +sure that both the user and the group exist. Any real +users that you want to allow access should be added to the Nix +group. + +A setuid installation should only by used if the users +in the Nix group are mutually trusted, since any user in that group +has the ability to change anything in the Nix store or database. For +instance, they could install a trojan horse in executables used by +other users. + +On some platforms, the Nix binaries will be installed +as setuid root. They drop root privileges +immediately after startup and switch to the Nix user. The reason for +this is that both the real and effective user must be set to the Nix +user, and POSIX has no system call to do this. This is not the case +on systems that have the setresuid() system call +(such as Linux and FreeBSD), so on those systems the binaries are +simply owned by the Nix user. + + + diff --git a/doc/manual/schemas.xml b/doc/manual/schemas.xml index 076f3a141..691a517b9 100644 --- a/doc/manual/schemas.xml +++ b/doc/manual/schemas.xml @@ -1,4 +1,4 @@ - + -- cgit v1.2.3