wroclaw-git-backups/nix
1
0
Fork 0
mirror of https://github.com/NixOS/nix synced 2025-07-07 14:21:48 +02:00
Code Activity

Merge pull request #68 from DeterminateSystems/remove-single-user-follow-up

Browse source 
Consolidate security doc into one
This commit is contained in:
Luc Perkins 2025-02-25 18:32:22 +00:00 committed by GitHub
commit 4154fe9428
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
4 changed files with 89 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

2
doc/manual/source/SUMMARY.md.in
View file

@ -10,7 +10,7 @@
- [Obtaining a Source Distribution](installation/obtaining-source.md) - [Obtaining a Source Distribution](installation/obtaining-source.md)
- [Building Nix from Source](installation/building-source.md) - [Building Nix from Source](installation/building-source.md)
- [Using Nix within Docker](installation/installing-docker.md) - [Using Nix within Docker](installation/installing-docker.md)
- [Multi-User Mode](installation/multi-user.md) - [Security](installation/nix-security.md)
- [Environment Variables](installation/env-variables.md) - [Environment Variables](installation/env-variables.md)
- [Upgrading Nix](installation/upgrading.md) - [Upgrading Nix](installation/upgrading.md)
- [Uninstalling Nix](installation/uninstall.md) - [Uninstalling Nix](installation/uninstall.md)

2
doc/manual/source/command-ref/env-common.md
View file

@ -102,7 +102,7 @@ Most Nix commands interpret the following environment variables:
This variable should be set to `daemon` if you want to use the Nix This variable should be set to `daemon` if you want to use the Nix
daemon to execute Nix operations. This is necessary in [multi-user daemon to execute Nix operations. This is necessary in [multi-user
Nix installations](@docroot@/installation/multi-user.md). If the Nix Nix installations](@docroot@/installation/nix-security.md#multi-user-model). If the Nix
daemon's Unix socket is at some non-standard path, this variable daemon's Unix socket is at some non-standard path, this variable
should be set to `unix://path/to/socket`. Otherwise, it should be should be set to `unix://path/to/socket`. Otherwise, it should be
left unset. left unset.

3
doc/manual/source/installation/index.md
View file

@ -1,7 +1,8 @@
# Installation # Installation
This section describes how to install and configure Nix for first-time use. This section describes how to install and configure Nix for first-time use.
Nix follows a [multi-user](./multi-user.md) model on both Linux and macOS. Nix follows a [multi-user](./nix-security.md#multi-user-model) model on both Linux
and macOS.
```console ```console
$ curl -L https://nixos.org/nix/install | sh -s -- --daemon $ curl -L https://nixos.org/nix/install | sh -s -- --daemon

85
doc/manual/source/installation/nix-security.md Normal file
View file

@ -0,0 +1,85 @@
# Security
Nix follows a [**multi-user**](#multi-user-model) security model in which all
users can perform package management operations. Every user can, for example,
install software without requiring root privileges, and Nix ensures that this
is secure. It's *not* possible for one user to, for example, overwrite a
package used by another user with a Trojan horse.
## Multi-User model
To allow a Nix store to be shared safely among multiple users, it is
important that users are not able to run builders that modify the Nix
store or database in arbitrary ways, or that interfere with builds
started by other users. If they could do so, they could install a Trojan
horse in some package and compromise the accounts of other users.
To prevent this, the Nix store and database are owned by some privileged
user (usually `root`) and builders are executed under special user
accounts (usually named `nixbld1`, `nixbld2`, etc.). When a unprivileged
user runs a Nix command, actions that operate on the Nix store (such as
builds) are forwarded to a *Nix daemon* running under the owner of the
Nix store/database that performs the operation.
> **Note**
>
> Multi-user mode has one important limitation: only root and a set of
> trusted users specified in `nix.conf` can specify arbitrary binary
> caches. So while unprivileged users may install packages from
> arbitrary Nix expressions, they may not get pre-built binaries.
### Setting up the build users
The *build users* are the special UIDs under which builds are performed.
They should all be members of the *build users group* `nixbld`. This
group should have no other members. The build users should not be
members of any other group. On Linux, you can create the group and users
as follows:
```console
$ groupadd -r nixbld
$ for n in $(seq 1 10); do useradd -c "Nix build user $n" \
-d /var/empty -g nixbld -G nixbld -M -N -r -s "$(which nologin)" \
nixbld$n; done
```
This creates 10 build users. There can never be more concurrent builds
than the number of build users, so you may want to increase this if you
expect to do many builds at the same time.
### Running the daemon
The [Nix daemon](../command-ref/nix-daemon.md) should be started as
follows (as `root`):
```console
$ nix-daemon
```
Youll want to put that line somewhere in your systems boot scripts.
To let unprivileged users use the daemon, they should set the
[`NIX_REMOTE` environment variable](../command-ref/env-common.md) to
`daemon`. So you should put a line like
```console
export NIX_REMOTE=daemon
```
into the users login scripts.
### Restricting access
To limit which users can perform Nix operations, you can use the
permissions on the directory `/nix/var/nix/daemon-socket`. For instance,
if you want to restrict the use of Nix to the members of a group called
`nix-users`, do
```console
$ chgrp nix-users /nix/var/nix/daemon-socket
$ chmod ug=rwx,o= /nix/var/nix/daemon-socket
```
This way, users who are not in the `nix-users` group cannot connect to
the Unix domain socket `/nix/var/nix/daemon-socket/socket`, so they
cannot perform Nix operations.