Merge pull request #68 from DeterminateSystems/remove-single-user-follow-up

Consolidate security doc into one

doc/manual/source/SUMMARY.md.in

@@ -10,7 +10,7 @@
     - [Obtaining a Source Distribution](installation/obtaining-source.md)
     - [Building Nix from Source](installation/building-source.md)
   - [Using Nix within Docker](installation/installing-docker.md)
-  - [Multi-User Mode](installation/multi-user.md)
+  - [Security](installation/nix-security.md)
   - [Environment Variables](installation/env-variables.md)
   - [Upgrading Nix](installation/upgrading.md)
   - [Uninstalling Nix](installation/uninstall.md)

doc/manual/source/command-ref/env-common.md

@@ -102,7 +102,7 @@ Most Nix commands interpret the following environment variables:
 
   This variable should be set to `daemon` if you want to use the Nix
   daemon to execute Nix operations. This is necessary in [multi-user
-  Nix installations](@docroot@/installation/multi-user.md). If the Nix
+  Nix installations](@docroot@/installation/nix-security.md#multi-user-model). If the Nix
   daemon's Unix socket is at some non-standard path, this variable
   should be set to `unix://path/to/socket`. Otherwise, it should be
   left unset.

doc/manual/source/installation/index.md

@@ -1,7 +1,8 @@
 # Installation
 
 This section describes how to install and configure Nix for first-time use.
-Nix follows a [multi-user](./multi-user.md) model on both Linux and macOS.
+Nix follows a [multi-user](./nix-security.md#multi-user-model) model on both Linux
+and macOS.
 
 ```console
 $ curl -L https://nixos.org/nix/install | sh -s -- --daemon

doc/manual/source/installation/nix-security.md

@@ -0,0 +1,85 @@
+# Security
+
+Nix follows a [**multi-user**](#multi-user-model) security model in which all
+users can perform package management operations. Every user can, for example,
+install software without requiring root privileges, and Nix ensures that this
+is secure. It's *not* possible for one user to, for example, overwrite a
+package used by another user with a Trojan horse.
+
+## Multi-User model
+
+To allow a Nix store to be shared safely among multiple users, it is
+important that users are not able to run builders that modify the Nix
+store or database in arbitrary ways, or that interfere with builds
+started by other users. If they could do so, they could install a Trojan
+horse in some package and compromise the accounts of other users.
+
+To prevent this, the Nix store and database are owned by some privileged
+user (usually `root`) and builders are executed under special user
+accounts (usually named `nixbld1`, `nixbld2`, etc.). When a unprivileged
+user runs a Nix command, actions that operate on the Nix store (such as
+builds) are forwarded to a *Nix daemon* running under the owner of the
+Nix store/database that performs the operation.
+
+> **Note**
+>
+> Multi-user mode has one important limitation: only root and a set of
+> trusted users specified in `nix.conf` can specify arbitrary binary
+> caches. So while unprivileged users may install packages from
+> arbitrary Nix expressions, they may not get pre-built binaries.
+
+### Setting up the build users
+
+The *build users* are the special UIDs under which builds are performed.
+They should all be members of the *build users group* `nixbld`. This
+group should have no other members. The build users should not be
+members of any other group. On Linux, you can create the group and users
+as follows:
+
+```console
+$ groupadd -r nixbld
+$ for n in $(seq 1 10); do useradd -c "Nix build user $n" \
+    -d /var/empty -g nixbld -G nixbld -M -N -r -s "$(which nologin)" \
+    nixbld$n; done
+```
+
+This creates 10 build users. There can never be more concurrent builds
+than the number of build users, so you may want to increase this if you
+expect to do many builds at the same time.
+
+### Running the daemon
+
+The [Nix daemon](../command-ref/nix-daemon.md) should be started as
+follows (as `root`):
+
+```console
+$ nix-daemon
+```
+
+You’ll want to put that line somewhere in your system’s boot scripts.
+
+To let unprivileged users use the daemon, they should set the
+[`NIX_REMOTE` environment variable](../command-ref/env-common.md) to
+`daemon`. So you should put a line like
+
+```console
+export NIX_REMOTE=daemon
+```
+
+into the users’ login scripts.
+
+### Restricting access
+
+To limit which users can perform Nix operations, you can use the
+permissions on the directory `/nix/var/nix/daemon-socket`. For instance,
+if you want to restrict the use of Nix to the members of a group called
+`nix-users`, do
+
+```console
+$ chgrp nix-users /nix/var/nix/daemon-socket
+$ chmod ug=rwx,o= /nix/var/nix/daemon-socket
+```
+
+This way, users who are not in the `nix-users` group cannot connect to
+the Unix domain socket `/nix/var/nix/daemon-socket/socket`, so they
+cannot perform Nix operations.