From b47da5ea21df9ba558f05516198d401f76719cf5 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Wed, 16 May 2007 22:07:39 +0000 Subject: --- doc/manual/installation.xml | 118 ++++++++++++++++++++++++++++--------------- doc/manual/manual.xml | 2 +- doc/manual/release-notes.xml | 4 +- 3 files changed, 80 insertions(+), 44 deletions(-) diff --git a/doc/manual/installation.xml b/doc/manual/installation.xml index 2642bca1d..3a143e44f 100644 --- a/doc/manual/installation.xml +++ b/doc/manual/installation.xml @@ -6,6 +6,39 @@ Installation +
Supported platforms + +Nix is currently supported on the following platforms: + + + + Linux (particularly on x86, x86_64, and + PowerPC). + + Mac OS X, both on Intel and + PowerPC. + + FreeBSD (only tested on Intel). + + Windows through Cygwin. + + On Cygwin, Nix must be installed + on an NTFS partition. It will not work correctly on a FAT + partition. + + + + + + + +Nix is pretty portable, so it should work on most other Unix +platforms as well. + +
+ +
Obtaining Nix The easiest way to obtain Nix is to download a -$ autoreconf -i +$ ./boostrap The installation path can be specified by passing the to @@ -163,49 +196,44 @@ xlink:href="http://nix.cs.uu.nl/dist/nix/" />.
-
Permissions - -All Nix operations must be performed under the user ID that owns -the Nix store and database -(prefix/store and -prefix/var/nix/db, -respectively). When installed from the RPM packages, these -directories are owned by root. - -
Setuid installation - -As a somewhat ad hoc hack, you can also -install the Nix binaries setuid so that a Nix store can -be shared among several users. To do this, configure Nix with the ---enable-setuid option. Nix will be installed as -owned by a user and group specified by the -user and -group -options. E.g., +
Security + +Nix has two basic security models. First, it can be used in +“single-user mode”, which is similar to what most other package +management tools do: there is a single user (typically root) who performs all package +management operations. All other users can then use the installed +packages, but they cannot perform package management operations +themselves. + +Alternatively, you can configure Nix in “multi-user mode”. In +this model, all users can perform package management operations — for +instance, every user can install software without requiring root +privileges. Nix ensures that this is secure. For instance, it’s not +possible for one user to overwrite a package used by another user with +a Trojan horse. + + +
Single-user mode + +In single-user mode, all Nix operations that access the database +in prefix/var/nix/db +or modify the Nix store in +prefix/store must be +performed under the user ID that owns those directories. This is +typically root. (If you +install from RPM packages, that’s in fact the default ownership.) +However, on single-user machines, it is often convenient to +chown those directories to your normal user account +so that you don’t have to su to root all the time. - -$ ./configure --enable-setuid --with-nix-user=my_nix_user --with-nix-group=my_nix_group - -The user and group default to nix. You should make -sure that both the user and the group exist. Any real -users that you want to allow access should be added to the Nix -group. +
-A setuid installation should only by used if the users -in the Nix group are mutually trusted, since any user in that group -has the ability to change anything in the Nix store or database. For -instance, they could install a trojan horse in executables used by -other users. -On some platforms, the Nix binaries will be installed -as setuid root. They drop root privileges -immediately after startup and switch to the Nix user. The reason for -this is that both the real and effective user must be set to the Nix -user, and POSIX has no system call to do this. This is not the case -on systems that have the setresuid() system call -(such as Linux and FreeBSD), so on those systems the binaries are -simply owned by the Nix user. +
Multi-user mode + - +Multi-user mode has one important limitation: only +root can run nix-pull to register the availability +of pre-built binaries. However, those registrations +are used by all users to speed up +builds.
-
+ +
Using Nix diff --git a/doc/manual/manual.xml b/doc/manual/manual.xml index d8fd5ddb2..35b4417f1 100644 --- a/doc/manual/manual.xml +++ b/doc/manual/manual.xml @@ -85,7 +85,7 @@ nix-prefetch-url
-
+
nix-pull
diff --git a/doc/manual/release-notes.xml b/doc/manual/release-notes.xml index 43358fe55..c3bc060cb 100644 --- a/doc/manual/release-notes.xml +++ b/doc/manual/release-notes.xml @@ -12,7 +12,9 @@ - TODO: multi-user support. + TODO: multi-user support. The old setuid method for + sharing a store between multiple users has been + removed. nix-copy-closure copies the -- cgit v1.2.3