lix-project/lix
20
55
Fork 31
Code Issues 344 Code Review (Gerrit) Projects 3 Releases Wiki Activity

reword documentation on trusted users and substituters

Browse source 
this is to make it slightly easier to scan over
This commit is contained in:
Valentin Gagarin 2023-03-05 02:36:26 +01:00
parent 946cd9e3f9
commit e09b40e0d0
2 changed files with 21 additions and 23 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
src/libstore/globals.hh
View file

@ -700,8 +700,8 @@ public:
At least one of the following conditions must be met for Nix to use a substituter: At least one of the following conditions must be met for Nix to use a substituter:
- the substituter is in the [`trusted-substituters`](#conf-trusted-substituters) list - The substituter is in the [`trusted-substituters`](#conf-trusted-substituters) list
- the user calling Nix is in the [`trusted-users`](#conf-trusted-users) list - The user calling Nix is in the [`trusted-users`](#conf-trusted-users) list
In addition, each store path should be trusted as described in [`trusted-public-keys`](#conf-trusted-public-keys) In addition, each store path should be trusted as described in [`trusted-public-keys`](#conf-trusted-public-keys)
)", )",
@ -710,12 +710,10 @@ public:
Setting<StringSet> trustedSubstituters{ Setting<StringSet> trustedSubstituters{
this, {}, "trusted-substituters", this, {}, "trusted-substituters",
R"( R"(
A list of [URLs of Nix stores](@docroot@/command-ref/new-cli/nix3-help-stores.md#store-url-format), A list of [URLs of Nix stores](@docroot@/command-ref/new-cli/nix3-help-stores.md#store-url-format), separated by whitespace.
separated by whitespace. These are These are not used by default, but can be enabled by users of the Nix daemon by specifying [`substituters`](#conf-substituters).
not used by default, but can be enabled by users of the Nix daemon
by specifying `--option substituters urls` on the command Unprivileged users are only allowed to pass as `substituters` only those URLs listed in `trusted-substituters`.
line. Unprivileged users are only allowed to pass a subset of the
URLs listed in `substituters` and `trusted-substituters`.
)", )",
{"trusted-binary-caches"}}; {"trusted-binary-caches"}};

30
src/nix/daemon.cc
View file

@ -55,19 +55,16 @@ struct AuthorizationSettings : Config {
Setting<Strings> trustedUsers{ Setting<Strings> trustedUsers{
this, {"root"}, "trusted-users", this, {"root"}, "trusted-users",
R"( R"(
A list of names of users (separated by whitespace) that have A list of user names, separated by whitespace.
additional rights when connecting to the Nix daemon, such as the These users will have additional rights when connecting to the Nix daemon, such as the ability to specify additional [substituters](#conf-substituters), or to import unsigned [NAR](@docroot@/glossary.md#gloss-nar)s.
ability to specify additional binary caches, or to import unsigned
NARs. You can also specify groups by prefixing them with `@`; for You can also specify groups by prefixing names with `@`.
instance, `@wheel` means all users in the `wheel` group. The default For instance, `@wheel` means all users in the `wheel` group.
is `root`.
> **Warning** > **Warning**
> >
> Adding a user to `trusted-users` is essentially equivalent to > Adding a user to `trusted-users` is essentially equivalent to giving that user root access to the system.
> giving that user root access to the system. For example, the user > For example, the user can set [`sandbox-paths`](#conf-sandbox-paths) and thereby obtain read access to directories that are otherwise inacessible to them.
> can set `sandbox-paths` and thereby obtain read access to
> directories that are otherwise inacessible to them.
)"}; )"};
/** /**
@ -76,12 +73,15 @@ struct AuthorizationSettings : Config {
Setting<Strings> allowedUsers{ Setting<Strings> allowedUsers{
this, {"*"}, "allowed-users", this, {"*"}, "allowed-users",
R"( R"(
A list of names of users (separated by whitespace) that are allowed A list user names, separated by whitespace.
to connect to the Nix daemon. As with the `trusted-users` option, These users are allowed to connect to the Nix daemon.
you can specify groups by prefixing them with `@`. Also, you can
allow all users by specifying `*`. The default is `*`.
Note that trusted users are always allowed to connect. As with the [`trusted-users`](#conf-trusted-users) option, you can specify groups by prefixing names with `@`.
Also, you can allow all users by specifying `*`.
> **Note**
>
> Trusted users are always allowed to connect to the Nix daemon.
)"}; )"};
}; };