106 lines
3.5 KiB
XML
106 lines
3.5 KiB
XML
|
<section xmlns="http://docbook.org/ns/docbook"
|
|||
|
xmlns:xlink="http://www.w3.org/1999/xlink"
|
|||
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
|||
|
version="5.0"
|
|||
|
xml:id="ssec-multi-user">
|
|||
|
|
|||
|
<title>Multi-User Mode</title>
|
|||
|
|
|||
|
<para>To allow a Nix store to be shared safely among multiple users,
|
|||
|
it is important that users are not able to run builders that modify
|
|||
|
the Nix store or database in arbitrary ways, or that interfere with
|
|||
|
builds started by other users. If they could do so, they could
|
|||
|
install a Trojan horse in some package and compromise the accounts of
|
|||
|
other users.</para>
|
|||
|
|
|||
|
<para>To prevent this, the Nix store and database are owned by some
|
|||
|
privileged user (usually <literal>root</literal>) and builders are
|
|||
|
executed under special user accounts (usually named
|
|||
|
<literal>nixbld1</literal>, <literal>nixbld2</literal>, etc.). When a
|
|||
|
unprivileged user runs a Nix command, actions that operate on the Nix
|
|||
|
store (such as builds) are forwarded to a <emphasis>Nix
|
|||
|
daemon</emphasis> running under the owner of the Nix store/database
|
|||
|
that performs the operation.</para>
|
|||
|
|
|||
|
<note>Multi-user mode has one important limitation: only
|
|||
|
<systemitem class="username">root</systemitem> can run <command
|
|||
|
linkend="sec-nix-pull">nix-pull</command> to register the availability
|
|||
|
of pre-built binaries. However, those registrations are shared by all
|
|||
|
users, so they still get the benefit from <command>nix-pull</command>s
|
|||
|
done by <systemitem class="username">root</systemitem>.</note>
|
|||
|
|
|||
|
|
|||
|
<simplesect>
|
|||
|
|
|||
|
<title>Setting up the build users</title>
|
|||
|
|
|||
|
<para>The <emphasis>build users</emphasis> are the special UIDs under
|
|||
|
which builds are performed. They should all be members of the
|
|||
|
<emphasis>build users group</emphasis> <literal>nixbld</literal>.
|
|||
|
This group should have no other members. The build users should not
|
|||
|
be members of any other group. On Linux, you can create the group and
|
|||
|
users as follows:
|
|||
|
|
|||
|
<screen>
|
|||
|
$ groupadd -r nixbld
|
|||
|
$ for n in $(seq 1 10); do useradd -c "Nix build user $n" \
|
|||
|
-d /var/empty -g nixbld -G nixbld -M -N -r -s "$(which nologin)" \
|
|||
|
nixbld$n; done
|
|||
|
</screen>
|
|||
|
|
|||
|
This creates 10 build users. There can never be more concurrent builds
|
|||
|
than the number of build users, so you may want to increase this if
|
|||
|
you expect to do many builds at the same time.</para>
|
|||
|
|
|||
|
</simplesect>
|
|||
|
|
|||
|
|
|||
|
<simplesect>
|
|||
|
|
|||
|
<title>Running the daemon</title>
|
|||
|
|
|||
|
<para>The <link linkend="sec-nix-daemon">Nix daemon</link> should be
|
|||
|
started as follows (as <literal>root</literal>):
|
|||
|
|
|||
|
<screen>
|
|||
|
$ nix-daemon</screen>
|
|||
|
|
|||
|
You’ll want to put that line somewhere in your system’s boot
|
|||
|
scripts.</para>
|
|||
|
|
|||
|
<para>To let unprivileged users use the daemon, they should set the
|
|||
|
<link linkend="envar-remote"><envar>NIX_REMOTE</envar> environment
|
|||
|
variable</link> to <literal>daemon</literal>. So you should put a
|
|||
|
line like
|
|||
|
|
|||
|
<programlisting>
|
|||
|
export NIX_REMOTE=daemon</programlisting>
|
|||
|
|
|||
|
into the users’ login scripts.</para>
|
|||
|
|
|||
|
</simplesect>
|
|||
|
|
|||
|
<simplesect>
|
|||
|
|
|||
|
<title>Restricting access</title>
|
|||
|
|
|||
|
<para>To limit which users can perform Nix operations, you can use the
|
|||
|
permissions on the directory
|
|||
|
<filename>/nix/var/nix/daemon-socket</filename>. For instance, if you
|
|||
|
want to restrict the use of Nix to the members of a group called
|
|||
|
<literal>nix-users</literal>, do
|
|||
|
|
|||
|
<screen>
|
|||
|
$ chgrp nix-users /nix/var/nix/daemon-socket
|
|||
|
$ chmod ug=rwx,o= /nix/var/nix/daemon-socket
|
|||
|
</screen>
|
|||
|
|
|||
|
This way, users who are not in the <literal>nix-users</literal> group
|
|||
|
cannot connect to the Unix domain socket
|
|||
|
<filename>/nix/var/nix/daemon-socket/socket</filename>, so they cannot
|
|||
|
perform Nix operations.</para>
|
|||
|
|
|||
|
</simplesect>
|
|||
|
|
|||
|
|
|||
|
</section>
|