forked from lix-project/lix
92bcb61127
except in older release notes where the name was actually Mac OS X.
136 lines
4.2 KiB
XML
136 lines
4.2 KiB
XML
<section xmlns="http://docbook.org/ns/docbook"
|
||
xmlns:xlink="http://www.w3.org/1999/xlink"
|
||
xmlns:xi="http://www.w3.org/2001/XInclude"
|
||
version="5.0"
|
||
xml:id="ssec-multi-user">
|
||
|
||
<title>Multi-User Mode</title>
|
||
|
||
<para>To allow a Nix store to be shared safely among multiple users,
|
||
it is important that users are not able to run builders that modify
|
||
the Nix store or database in arbitrary ways, or that interfere with
|
||
builds started by other users. If they could do so, they could
|
||
install a Trojan horse in some package and compromise the accounts of
|
||
other users.</para>
|
||
|
||
<para>To prevent this, the Nix store and database are owned by some
|
||
privileged user (usually <literal>root</literal>) and builders are
|
||
executed under special user accounts (usually named
|
||
<literal>nixbld1</literal>, <literal>nixbld2</literal>, etc.). When a
|
||
unprivileged user runs a Nix command, actions that operate on the Nix
|
||
store (such as builds) are forwarded to a <emphasis>Nix
|
||
daemon</emphasis> running under the owner of the Nix store/database
|
||
that performs the operation.</para>
|
||
|
||
<note><para>Multi-user mode has one important limitation: only
|
||
<systemitem class="username">root</systemitem> and a set of trusted
|
||
users specified in <filename>nix.conf</filename> can specify arbitrary
|
||
binary caches. So while unprivileged users may install packages from
|
||
arbitrary Nix expressions, they may not get pre-built
|
||
binaries.</para></note>
|
||
|
||
|
||
<simplesect>
|
||
|
||
<title>Setting up the build users</title>
|
||
|
||
<para>The <emphasis>build users</emphasis> are the special UIDs under
|
||
which builds are performed. They should all be members of the
|
||
<emphasis>build users group</emphasis> <literal>nixbld</literal>.
|
||
This group should have no other members. The build users should not
|
||
be members of any other group. On Linux, you can create the group and
|
||
users as follows:
|
||
|
||
<screen>
|
||
$ groupadd -r nixbld
|
||
$ for n in $(seq 1 10); do useradd -c "Nix build user $n" \
|
||
-d /var/empty -g nixbld -G nixbld -M -N -r -s "$(which nologin)" \
|
||
nixbld$n; done
|
||
</screen>
|
||
|
||
This creates 10 build users. There can never be more concurrent builds
|
||
than the number of build users, so you may want to increase this if
|
||
you expect to do many builds at the same time.</para>
|
||
|
||
<para>On macOS, you can create the required group and users by
|
||
running the following script:
|
||
|
||
<programlisting>
|
||
#! /bin/bash -e
|
||
|
||
dseditgroup -o create nixbld -q
|
||
|
||
gid=$(dscl . -read /Groups/nixbld | awk '($1 == "PrimaryGroupID:") {print $2 }')
|
||
|
||
echo "created nixbld group with gid $gid"
|
||
|
||
for i in $(seq 1 10); do
|
||
user=/Users/nixbld$i
|
||
uid="$((30000 + $i))"
|
||
dscl . create $user
|
||
dscl . create $user RealName "Nix build user $i"
|
||
dscl . create $user PrimaryGroupID "$gid"
|
||
dscl . create $user UserShell /usr/bin/false
|
||
dscl . create $user NFSHomeDirectory /var/empty
|
||
dscl . create $user UniqueID "$uid"
|
||
dseditgroup -o edit -a nixbld$i -t user nixbld
|
||
echo "created nixbld$i user with uid $uid"
|
||
done
|
||
</programlisting>
|
||
|
||
</para>
|
||
|
||
</simplesect>
|
||
|
||
|
||
<simplesect>
|
||
|
||
<title>Running the daemon</title>
|
||
|
||
<para>The <link linkend="sec-nix-daemon">Nix daemon</link> should be
|
||
started as follows (as <literal>root</literal>):
|
||
|
||
<screen>
|
||
$ nix-daemon</screen>
|
||
|
||
You’ll want to put that line somewhere in your system’s boot
|
||
scripts.</para>
|
||
|
||
<para>To let unprivileged users use the daemon, they should set the
|
||
<link linkend="envar-remote"><envar>NIX_REMOTE</envar> environment
|
||
variable</link> to <literal>daemon</literal>. So you should put a
|
||
line like
|
||
|
||
<programlisting>
|
||
export NIX_REMOTE=daemon</programlisting>
|
||
|
||
into the users’ login scripts.</para>
|
||
|
||
</simplesect>
|
||
|
||
|
||
<simplesect>
|
||
|
||
<title>Restricting access</title>
|
||
|
||
<para>To limit which users can perform Nix operations, you can use the
|
||
permissions on the directory
|
||
<filename>/nix/var/nix/daemon-socket</filename>. For instance, if you
|
||
want to restrict the use of Nix to the members of a group called
|
||
<literal>nix-users</literal>, do
|
||
|
||
<screen>
|
||
$ chgrp nix-users /nix/var/nix/daemon-socket
|
||
$ chmod ug=rwx,o= /nix/var/nix/daemon-socket
|
||
</screen>
|
||
|
||
This way, users who are not in the <literal>nix-users</literal> group
|
||
cannot connect to the Unix domain socket
|
||
<filename>/nix/var/nix/daemon-socket/socket</filename>, so they cannot
|
||
perform Nix operations.</para>
|
||
|
||
</simplesect>
|
||
|
||
|
||
</section>
|