aboutsummaryrefslogtreecommitdiff
path: root/doc/manual/installation/multi-user.xml
blob: 49c4f723597e3e1e444bd09d243649e88a85b6c5 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
<section xmlns="http://docbook.org/ns/docbook"
      xmlns:xlink="http://www.w3.org/1999/xlink"
      xmlns:xi="http://www.w3.org/2001/XInclude"
      version="5.0"
      xml:id="ssec-multi-user">

<title>Multi-User Mode</title>

<para>To allow a Nix store to be shared safely among multiple users,
it is important that users are not able to run builders that modify
the Nix store or database in arbitrary ways, or that interfere with
builds started by other users.  If they could do so, they could
install a Trojan horse in some package and compromise the accounts of
other users.</para>

<para>To prevent this, the Nix store and database are owned by some
privileged user (usually <literal>root</literal>) and builders are
executed under special user accounts (usually named
<literal>nixbld1</literal>, <literal>nixbld2</literal>, etc.).  When a
unprivileged user runs a Nix command, actions that operate on the Nix
store (such as builds) are forwarded to a <emphasis>Nix
daemon</emphasis> running under the owner of the Nix store/database
that performs the operation.</para>

<note><para>Multi-user mode has one important limitation: only
<systemitem class="username">root</systemitem> and a set of trusted
users specified in <filename>nix.conf</filename> can specify arbitrary
binary caches. So while unprivileged users may install packages from
arbitrary Nix expressions, they may not get pre-built
binaries.</para></note>


<simplesect>

<title>Setting up the build users</title>

<para>The <emphasis>build users</emphasis> are the special UIDs under
which builds are performed.  They should all be members of the
<emphasis>build users group</emphasis> <literal>nixbld</literal>.
This group should have no other members.  The build users should not
be members of any other group. On Linux, you can create the group and
users as follows:

<screen>
$ groupadd -r nixbld
$ for n in $(seq 1 10); do useradd -c "Nix build user $n" \
    -d /var/empty -g nixbld -G nixbld -M -N -r -s "$(which nologin)" \
    nixbld$n; done
</screen>

This creates 10 build users. There can never be more concurrent builds
than the number of build users, so you may want to increase this if
you expect to do many builds at the same time.</para>

<para>On Mac OS X, you can create the required group and users by
running the following script:

<programlisting>
#! /bin/bash -e

dseditgroup -o create nixbld -q

gid=$(dscl . -read /Groups/nixbld | awk '($1 == "PrimaryGroupID:") {print $2 }')

echo "created nixbld group with gid $gid"

for i in $(seq 1 10); do
    user=/Users/nixbld$i
    uid="$((30000 + $i))"
    dscl . create $user
    dscl . create $user RealName "Nix build user $i"
    dscl . create $user PrimaryGroupID "$gid"
    dscl . create $user UserShell /usr/bin/false
    dscl . create $user NFSHomeDirectory /var/empty
    dscl . create $user UniqueID "$uid"
    dseditgroup -o edit -a nixbld$i -t user nixbld
    echo "created nixbld$i user with uid $uid"
done
</programlisting>

</para>

</simplesect>


<simplesect>

<title>Running the daemon</title>

<para>The <link linkend="sec-nix-daemon">Nix daemon</link> should be
started as follows (as <literal>root</literal>):

<screen>
$ nix-daemon</screen>

You’ll want to put that line somewhere in your system’s boot
scripts.</para>

<para>To let unprivileged users use the daemon, they should set the
<link linkend="envar-remote"><envar>NIX_REMOTE</envar> environment
variable</link> to <literal>daemon</literal>.  So you should put a
line like

<programlisting>
export NIX_REMOTE=daemon</programlisting>

into the users’ login scripts.</para>

</simplesect>


<simplesect>

<title>Restricting access</title>

<para>To limit which users can perform Nix operations, you can use the
permissions on the directory
<filename>/nix/var/nix/daemon-socket</filename>.  For instance, if you
want to restrict the use of Nix to the members of a group called
<literal>nix-users</literal>, do

<screen>
$ chgrp nix-users /nix/var/nix/daemon-socket
$ chmod ug=rwx,o= /nix/var/nix/daemon-socket
</screen>

This way, users who are not in the <literal>nix-users</literal> group
cannot connect to the Unix domain socket
<filename>/nix/var/nix/daemon-socket/socket</filename>, so they cannot
perform Nix operations.</para>

</simplesect>


</section>