From e09b40e0d0b68ca7c3646ddffb50e1356daec997 Mon Sep 17 00:00:00 2001 From: Valentin Gagarin Date: Sun, 5 Mar 2023 02:36:26 +0100 Subject: [PATCH 01/10] reword documentation on trusted users and substituters this is to make it slightly easier to scan over --- src/libstore/globals.hh | 14 ++++++-------- src/nix/daemon.cc | 30 +++++++++++++++--------------- 2 files changed, 21 insertions(+), 23 deletions(-) diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh index 820898350..b0c025c8e 100644 --- a/src/libstore/globals.hh +++ b/src/libstore/globals.hh @@ -700,8 +700,8 @@ public: At least one of the following conditions must be met for Nix to use a substituter: - - the substituter is in the [`trusted-substituters`](#conf-trusted-substituters) list - - the user calling Nix is in the [`trusted-users`](#conf-trusted-users) list + - The substituter is in the [`trusted-substituters`](#conf-trusted-substituters) list + - The user calling Nix is in the [`trusted-users`](#conf-trusted-users) list In addition, each store path should be trusted as described in [`trusted-public-keys`](#conf-trusted-public-keys) )", @@ -710,12 +710,10 @@ public: Setting trustedSubstituters{ this, {}, "trusted-substituters", R"( - A list of [URLs of Nix stores](@docroot@/command-ref/new-cli/nix3-help-stores.md#store-url-format), - separated by whitespace. These are - not used by default, but can be enabled by users of the Nix daemon - by specifying `--option substituters urls` on the command - line. Unprivileged users are only allowed to pass a subset of the - URLs listed in `substituters` and `trusted-substituters`. + A list of [URLs of Nix stores](@docroot@/command-ref/new-cli/nix3-help-stores.md#store-url-format), separated by whitespace. + These are not used by default, but can be enabled by users of the Nix daemon by specifying [`substituters`](#conf-substituters). + + Unprivileged users are only allowed to pass as `substituters` only those URLs listed in `trusted-substituters`. )", {"trusted-binary-caches"}}; diff --git a/src/nix/daemon.cc b/src/nix/daemon.cc index 9fe9b3b1e..09adab5d3 100644 --- a/src/nix/daemon.cc +++ b/src/nix/daemon.cc @@ -55,19 +55,16 @@ struct AuthorizationSettings : Config { Setting trustedUsers{ this, {"root"}, "trusted-users", R"( - A list of names of users (separated by whitespace) that have - additional rights when connecting to the Nix daemon, such as the - ability to specify additional binary caches, or to import unsigned - NARs. You can also specify groups by prefixing them with `@`; for - instance, `@wheel` means all users in the `wheel` group. The default - is `root`. + A list of user names, separated by whitespace. + These users will have additional rights when connecting to the Nix daemon, such as the ability to specify additional [substituters](#conf-substituters), or to import unsigned [NAR](@docroot@/glossary.md#gloss-nar)s. + + You can also specify groups by prefixing names with `@`. + For instance, `@wheel` means all users in the `wheel` group. > **Warning** > - > Adding a user to `trusted-users` is essentially equivalent to - > giving that user root access to the system. For example, the user - > can set `sandbox-paths` and thereby obtain read access to - > directories that are otherwise inacessible to them. + > Adding a user to `trusted-users` is essentially equivalent to giving that user root access to the system. + > For example, the user can set [`sandbox-paths`](#conf-sandbox-paths) and thereby obtain read access to directories that are otherwise inacessible to them. )"}; /** @@ -76,12 +73,15 @@ struct AuthorizationSettings : Config { Setting allowedUsers{ this, {"*"}, "allowed-users", R"( - A list of names of users (separated by whitespace) that are allowed - to connect to the Nix daemon. As with the `trusted-users` option, - you can specify groups by prefixing them with `@`. Also, you can - allow all users by specifying `*`. The default is `*`. + A list user names, separated by whitespace. + These users are allowed to connect to the Nix daemon. - Note that trusted users are always allowed to connect. + As with the [`trusted-users`](#conf-trusted-users) option, you can specify groups by prefixing names with `@`. + Also, you can allow all users by specifying `*`. + + > **Note** + > + > Trusted users are always allowed to connect to the Nix daemon. )"}; }; From b7d47e1d22e7ce2785487d325cc3dd35a43f16b5 Mon Sep 17 00:00:00 2001 From: Valentin Gagarin Date: Thu, 15 Jun 2023 04:58:07 +0200 Subject: [PATCH 02/10] fix wording --- src/libstore/globals.hh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh index b0c025c8e..f63ec8b50 100644 --- a/src/libstore/globals.hh +++ b/src/libstore/globals.hh @@ -713,7 +713,7 @@ public: A list of [URLs of Nix stores](@docroot@/command-ref/new-cli/nix3-help-stores.md#store-url-format), separated by whitespace. These are not used by default, but can be enabled by users of the Nix daemon by specifying [`substituters`](#conf-substituters). - Unprivileged users are only allowed to pass as `substituters` only those URLs listed in `trusted-substituters`. + Unprivileged users are allowed to pass as `substituters` only those URLs listed in `trusted-substituters`. )", {"trusted-binary-caches"}}; From e1fa48f17c0bb0f73e97e684077cec8dfa1d7a3d Mon Sep 17 00:00:00 2001 From: John Ericson Date: Thu, 15 Jun 2023 07:41:37 -0400 Subject: [PATCH 03/10] Update src/nix/daemon.cc Co-authored-by: Valentin Gagarin --- src/nix/daemon.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/nix/daemon.cc b/src/nix/daemon.cc index 09adab5d3..a57070c56 100644 --- a/src/nix/daemon.cc +++ b/src/nix/daemon.cc @@ -81,7 +81,7 @@ struct AuthorizationSettings : Config { > **Note** > - > Trusted users are always allowed to connect to the Nix daemon. + > Trusted users (set in [`trusted-users`](#conf-trusted-users)) can always to connect to the Nix daemon. )"}; }; From 2ceacce484e21ac116a79c74877327355fd153d0 Mon Sep 17 00:00:00 2001 From: Valentin Gagarin Date: Thu, 15 Jun 2023 15:57:54 +0200 Subject: [PATCH 04/10] Update src/libstore/globals.hh --- src/libstore/globals.hh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh index f63ec8b50..46147a5e1 100644 --- a/src/libstore/globals.hh +++ b/src/libstore/globals.hh @@ -713,7 +713,7 @@ public: A list of [URLs of Nix stores](@docroot@/command-ref/new-cli/nix3-help-stores.md#store-url-format), separated by whitespace. These are not used by default, but can be enabled by users of the Nix daemon by specifying [`substituters`](#conf-substituters). - Unprivileged users are allowed to pass as `substituters` only those URLs listed in `trusted-substituters`. + Unprivileged users (those set in only [`allowed-users`](#conf-allowed-users) but not [`trusted-users`](#conf-trusted-users)) can pass as `substituters` only those URLs listed in `trusted-substituters`. )", {"trusted-binary-caches"}}; From 4a33d5fe3549137bacf9373e5ba7bfe11a421099 Mon Sep 17 00:00:00 2001 From: Valentin Gagarin Date: Fri, 16 Jun 2023 14:33:31 +0200 Subject: [PATCH 05/10] fix link text Co-authored-by: Robert Hensing --- src/nix/daemon.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/nix/daemon.cc b/src/nix/daemon.cc index a57070c56..d0e70a7b1 100644 --- a/src/nix/daemon.cc +++ b/src/nix/daemon.cc @@ -56,7 +56,7 @@ struct AuthorizationSettings : Config { this, {"root"}, "trusted-users", R"( A list of user names, separated by whitespace. - These users will have additional rights when connecting to the Nix daemon, such as the ability to specify additional [substituters](#conf-substituters), or to import unsigned [NAR](@docroot@/glossary.md#gloss-nar)s. + These users will have additional rights when connecting to the Nix daemon, such as the ability to specify additional [substituters](#conf-substituters), or to import unsigned [NARs](@docroot@/glossary.md#gloss-nar). You can also specify groups by prefixing names with `@`. For instance, `@wheel` means all users in the `wheel` group. From 1a8ca85d488ddacf26f2aeddddab926c0e081d98 Mon Sep 17 00:00:00 2001 From: Valentin Gagarin Date: Fri, 16 Jun 2023 14:34:11 +0200 Subject: [PATCH 06/10] use "store URLs" consistently --- src/libstore/globals.hh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh index 46147a5e1..d2efd1505 100644 --- a/src/libstore/globals.hh +++ b/src/libstore/globals.hh @@ -710,7 +710,7 @@ public: Setting trustedSubstituters{ this, {}, "trusted-substituters", R"( - A list of [URLs of Nix stores](@docroot@/command-ref/new-cli/nix3-help-stores.md#store-url-format), separated by whitespace. + A list of [Nix store URLs](@docroot@/command-ref/new-cli/nix3-help-stores.md#store-url-format), separated by whitespace. These are not used by default, but can be enabled by users of the Nix daemon by specifying [`substituters`](#conf-substituters). Unprivileged users (those set in only [`allowed-users`](#conf-allowed-users) but not [`trusted-users`](#conf-trusted-users)) can pass as `substituters` only those URLs listed in `trusted-substituters`. From 126eea48e300ab365c46ce062776e74a3907a7c8 Mon Sep 17 00:00:00 2001 From: Valentin Gagarin Date: Fri, 16 Jun 2023 14:36:53 +0200 Subject: [PATCH 07/10] do not refer to `trusted-users` another time --- src/nix/daemon.cc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/nix/daemon.cc b/src/nix/daemon.cc index d0e70a7b1..43d2f8f86 100644 --- a/src/nix/daemon.cc +++ b/src/nix/daemon.cc @@ -76,7 +76,8 @@ struct AuthorizationSettings : Config { A list user names, separated by whitespace. These users are allowed to connect to the Nix daemon. - As with the [`trusted-users`](#conf-trusted-users) option, you can specify groups by prefixing names with `@`. + You can specify groups by prefixing names with `@`. + For instance, `@wheel` means all users in the `wheel` group. Also, you can allow all users by specifying `*`. > **Note** From baef05e6fefb46b3bdddb2785861bd7190920506 Mon Sep 17 00:00:00 2001 From: Valentin Gagarin Date: Fri, 16 Jun 2023 14:37:08 +0200 Subject: [PATCH 08/10] fix typo Co-authored-by: Robert Hensing --- src/nix/daemon.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/nix/daemon.cc b/src/nix/daemon.cc index 43d2f8f86..6dcd7f94d 100644 --- a/src/nix/daemon.cc +++ b/src/nix/daemon.cc @@ -82,7 +82,7 @@ struct AuthorizationSettings : Config { > **Note** > - > Trusted users (set in [`trusted-users`](#conf-trusted-users)) can always to connect to the Nix daemon. + > Trusted users (set in [`trusted-users`](#conf-trusted-users)) can always connect to the Nix daemon. )"}; }; From f695a74751c314cc426ff7bbc67ce5de8b58bbfd Mon Sep 17 00:00:00 2001 From: Valentin Gagarin Date: Fri, 16 Jun 2023 17:58:01 +0200 Subject: [PATCH 09/10] Update src/libstore/globals.hh --- src/libstore/globals.hh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh index d2efd1505..05aa8288a 100644 --- a/src/libstore/globals.hh +++ b/src/libstore/globals.hh @@ -711,7 +711,7 @@ public: this, {}, "trusted-substituters", R"( A list of [Nix store URLs](@docroot@/command-ref/new-cli/nix3-help-stores.md#store-url-format), separated by whitespace. - These are not used by default, but can be enabled by users of the Nix daemon by specifying [`substituters`](#conf-substituters). + These are not used by default, but users of the Nix daemon can enable them by specifying [`substituters`](#conf-substituters). Unprivileged users (those set in only [`allowed-users`](#conf-allowed-users) but not [`trusted-users`](#conf-trusted-users)) can pass as `substituters` only those URLs listed in `trusted-substituters`. )", From e91d19db5f827cec56e32fe9b7c07c8d2c546ce6 Mon Sep 17 00:00:00 2001 From: Valentin Gagarin Date: Tue, 20 Jun 2023 12:23:53 +0200 Subject: [PATCH 10/10] be more serious about security risks with trusted users --- src/nix/daemon.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/nix/daemon.cc b/src/nix/daemon.cc index 6dcd7f94d..41f826228 100644 --- a/src/nix/daemon.cc +++ b/src/nix/daemon.cc @@ -64,7 +64,7 @@ struct AuthorizationSettings : Config { > **Warning** > > Adding a user to `trusted-users` is essentially equivalent to giving that user root access to the system. - > For example, the user can set [`sandbox-paths`](#conf-sandbox-paths) and thereby obtain read access to directories that are otherwise inacessible to them. + > For example, the user can access or replace store path contents that are critical for system security. )"}; /**