lix-project/lix
20
55
Fork 31
Code Issues 344 Code Review (Gerrit) Projects 3 Releases Wiki Activity

reword documentation on trusted users and substituters

Browse source 
this is to make it slightly easier to scan over
This commit is contained in:
Valentin Gagarin 2023-03-05 02:36:26 +01:00
parent 946cd9e3f9
commit e09b40e0d0
2 changed files with 21 additions and 23 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
src/libstore/globals.hh
View file

@ -700,8 +700,8 @@ public:
At least one of the following conditions must be met for Nix to use a substituter:
- the substituter is in the [`trusted-substituters`](#conf-trusted-substituters) list
- the user calling Nix is in the [`trusted-users`](#conf-trusted-users) list
- The substituter is in the [`trusted-substituters`](#conf-trusted-substituters) list
- The user calling Nix is in the [`trusted-users`](#conf-trusted-users) list
In addition, each store path should be trusted as described in [`trusted-public-keys`](#conf-trusted-public-keys)
)",
@ -710,12 +710,10 @@ public:
Setting<StringSet> trustedSubstituters{
this, {}, "trusted-substituters",
R"(
A list of [URLs of Nix stores](@docroot@/command-ref/new-cli/nix3-help-stores.md#store-url-format),
separated by whitespace. These are
not used by default, but can be enabled by users of the Nix daemon
by specifying `--option substituters urls` on the command
line. Unprivileged users are only allowed to pass a subset of the
URLs listed in `substituters` and `trusted-substituters`.
A list of [URLs of Nix stores](@docroot@/command-ref/new-cli/nix3-help-stores.md#store-url-format), separated by whitespace.
These are not used by default, but can be enabled by users of the Nix daemon by specifying [`substituters`](#conf-substituters).
Unprivileged users are only allowed to pass as `substituters` only those URLs listed in `trusted-substituters`.
)",
{"trusted-binary-caches"}};

30
src/nix/daemon.cc
View file

@ -55,19 +55,16 @@ struct AuthorizationSettings : Config {
Setting<Strings> trustedUsers{
this, {"root"}, "trusted-users",
R"(
A list of names of users (separated by whitespace) that have
additional rights when connecting to the Nix daemon, such as the
ability to specify additional binary caches, or to import unsigned
NARs. You can also specify groups by prefixing them with `@`; for
instance, `@wheel` means all users in the `wheel` group. The default
is `root`.
A list of user names, separated by whitespace.
These users will have additional rights when connecting to the Nix daemon, such as the ability to specify additional [substituters](#conf-substituters), or to import unsigned [NAR](@docroot@/glossary.md#gloss-nar)s.
You can also specify groups by prefixing names with `@`.
For instance, `@wheel` means all users in the `wheel` group.
> **Warning**
>
> Adding a user to `trusted-users` is essentially equivalent to
> giving that user root access to the system. For example, the user
> can set `sandbox-paths` and thereby obtain read access to
> directories that are otherwise inacessible to them.
> Adding a user to `trusted-users` is essentially equivalent to giving that user root access to the system.
> For example, the user can set [`sandbox-paths`](#conf-sandbox-paths) and thereby obtain read access to directories that are otherwise inacessible to them.
)"};
/**
@ -76,12 +73,15 @@ struct AuthorizationSettings : Config {
Setting<Strings> allowedUsers{
this, {"*"}, "allowed-users",
R"(
A list of names of users (separated by whitespace) that are allowed
to connect to the Nix daemon. As with the `trusted-users` option,
you can specify groups by prefixing them with `@`. Also, you can
allow all users by specifying `*`. The default is `*`.
A list user names, separated by whitespace.
These users are allowed to connect to the Nix daemon.
Note that trusted users are always allowed to connect.
As with the [`trusted-users`](#conf-trusted-users) option, you can specify groups by prefixing names with `@`.
Also, you can allow all users by specifying `*`.
> **Note**
>
> Trusted users are always allowed to connect to the Nix daemon.
)"};
};