forked from lix-project/lix
Merge pull request #8519 from fricklerhandwerk/reword-trusted-users
reword documentation on trusted users and substituters
This commit is contained in:
commit
fd4f03b8fd
2 changed files with 22 additions and 23 deletions
|
@ -700,8 +700,8 @@ public:
|
||||||
|
|
||||||
At least one of the following conditions must be met for Nix to use a substituter:
|
At least one of the following conditions must be met for Nix to use a substituter:
|
||||||
|
|
||||||
- the substituter is in the [`trusted-substituters`](#conf-trusted-substituters) list
|
- The substituter is in the [`trusted-substituters`](#conf-trusted-substituters) list
|
||||||
- the user calling Nix is in the [`trusted-users`](#conf-trusted-users) list
|
- The user calling Nix is in the [`trusted-users`](#conf-trusted-users) list
|
||||||
|
|
||||||
In addition, each store path should be trusted as described in [`trusted-public-keys`](#conf-trusted-public-keys)
|
In addition, each store path should be trusted as described in [`trusted-public-keys`](#conf-trusted-public-keys)
|
||||||
)",
|
)",
|
||||||
|
@ -710,12 +710,10 @@ public:
|
||||||
Setting<StringSet> trustedSubstituters{
|
Setting<StringSet> trustedSubstituters{
|
||||||
this, {}, "trusted-substituters",
|
this, {}, "trusted-substituters",
|
||||||
R"(
|
R"(
|
||||||
A list of [URLs of Nix stores](@docroot@/command-ref/new-cli/nix3-help-stores.md#store-url-format),
|
A list of [Nix store URLs](@docroot@/command-ref/new-cli/nix3-help-stores.md#store-url-format), separated by whitespace.
|
||||||
separated by whitespace. These are
|
These are not used by default, but users of the Nix daemon can enable them by specifying [`substituters`](#conf-substituters).
|
||||||
not used by default, but can be enabled by users of the Nix daemon
|
|
||||||
by specifying `--option substituters urls` on the command
|
Unprivileged users (those set in only [`allowed-users`](#conf-allowed-users) but not [`trusted-users`](#conf-trusted-users)) can pass as `substituters` only those URLs listed in `trusted-substituters`.
|
||||||
line. Unprivileged users are only allowed to pass a subset of the
|
|
||||||
URLs listed in `substituters` and `trusted-substituters`.
|
|
||||||
)",
|
)",
|
||||||
{"trusted-binary-caches"}};
|
{"trusted-binary-caches"}};
|
||||||
|
|
||||||
|
|
|
@ -56,19 +56,16 @@ struct AuthorizationSettings : Config {
|
||||||
Setting<Strings> trustedUsers{
|
Setting<Strings> trustedUsers{
|
||||||
this, {"root"}, "trusted-users",
|
this, {"root"}, "trusted-users",
|
||||||
R"(
|
R"(
|
||||||
A list of names of users (separated by whitespace) that have
|
A list of user names, separated by whitespace.
|
||||||
additional rights when connecting to the Nix daemon, such as the
|
These users will have additional rights when connecting to the Nix daemon, such as the ability to specify additional [substituters](#conf-substituters), or to import unsigned [NARs](@docroot@/glossary.md#gloss-nar).
|
||||||
ability to specify additional binary caches, or to import unsigned
|
|
||||||
NARs. You can also specify groups by prefixing them with `@`; for
|
You can also specify groups by prefixing names with `@`.
|
||||||
instance, `@wheel` means all users in the `wheel` group. The default
|
For instance, `@wheel` means all users in the `wheel` group.
|
||||||
is `root`.
|
|
||||||
|
|
||||||
> **Warning**
|
> **Warning**
|
||||||
>
|
>
|
||||||
> Adding a user to `trusted-users` is essentially equivalent to
|
> Adding a user to `trusted-users` is essentially equivalent to giving that user root access to the system.
|
||||||
> giving that user root access to the system. For example, the user
|
> For example, the user can access or replace store path contents that are critical for system security.
|
||||||
> can set `sandbox-paths` and thereby obtain read access to
|
|
||||||
> directories that are otherwise inacessible to them.
|
|
||||||
)"};
|
)"};
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -77,12 +74,16 @@ struct AuthorizationSettings : Config {
|
||||||
Setting<Strings> allowedUsers{
|
Setting<Strings> allowedUsers{
|
||||||
this, {"*"}, "allowed-users",
|
this, {"*"}, "allowed-users",
|
||||||
R"(
|
R"(
|
||||||
A list of names of users (separated by whitespace) that are allowed
|
A list user names, separated by whitespace.
|
||||||
to connect to the Nix daemon. As with the `trusted-users` option,
|
These users are allowed to connect to the Nix daemon.
|
||||||
you can specify groups by prefixing them with `@`. Also, you can
|
|
||||||
allow all users by specifying `*`. The default is `*`.
|
|
||||||
|
|
||||||
Note that trusted users are always allowed to connect.
|
You can specify groups by prefixing names with `@`.
|
||||||
|
For instance, `@wheel` means all users in the `wheel` group.
|
||||||
|
Also, you can allow all users by specifying `*`.
|
||||||
|
|
||||||
|
> **Note**
|
||||||
|
>
|
||||||
|
> Trusted users (set in [`trusted-users`](#conf-trusted-users)) can always connect to the Nix daemon.
|
||||||
)"};
|
)"};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue