about summary refs log tree commit diff
diff options
context:
space:
mode:
authorEelco Dolstra <e.dolstra@tudelft.nl>2007-08-30T09·50+0000
committerEelco Dolstra <e.dolstra@tudelft.nl>2007-08-30T09·50+0000
commit0d65fc08e2f7e69976ab91271024a87dbeef380d (patch)
tree8276ec01bd428d3be6422eb71e25ed8dec247ae1
parentcb1c1004cdd582abe67146ab3904bd88de3a1d4e (diff)
* Create the Nix daemon socket in a separate directory
  (/nix/var/nix/daemon-socket).  This allows access to the Nix daemon
  to be restricted by setting the mode/ownership on that directory as
  desired, e.g.

    $ chmod 770 /nix/var/nix/daemon-socket
    $ chown root.wheel /nix/var/nix/daemon-socket

  to allow only users in the wheel group to use Nix.

  Setting the ownership on a socket is much trickier, since the socket
  must be deleted and recreated every time the daemon is started
  (which would require additional Nix configuration file directives to
  specify the mode/ownership, and wouldn't support arbitrary ACLs),
  some BSD variants appear to ignore permissions on sockets, and it's
  not clear whether the umask is respected on every platform when
  creating sockets.

-rw-r--r--src/libstore/worker-protocol.hh9
-rw-r--r--src/nix-worker/nix-worker.cc5
2 files changed, 10 insertions, 4 deletions
diff --git a/src/libstore/worker-protocol.hh b/src/libstore/worker-protocol.hh
index 56d03af55be3..f3b63151dbfb 100644
--- a/src/libstore/worker-protocol.hh
+++ b/src/libstore/worker-protocol.hh
@@ -38,9 +38,12 @@ typedef enum {
 #define STDERR_ERROR 0x63787470
 
 
-/* The default location of the daemon socket, relative to
-   nixStateDir. */
-#define DEFAULT_SOCKET_PATH "/daemon.socket"
+/* The default location of the daemon socket, relative to nixStateDir.
+   The socket is in a directory to allow you to control access to the
+   Nix daemon by setting the mode/ownership of the directory
+   appropriately.  (This wouldn't work on the socket itself since it
+   must be deleted and recreated on startup.) */
+#define DEFAULT_SOCKET_PATH "/daemon-socket/socket"
 
 
 Path readStorePath(Source & from);
diff --git a/src/nix-worker/nix-worker.cc b/src/nix-worker/nix-worker.cc
index 6ddf01bd017d..b9d5b1e26309 100644
--- a/src/nix-worker/nix-worker.cc
+++ b/src/nix-worker/nix-worker.cc
@@ -517,6 +517,8 @@ static void daemonLoop()
 
     string socketPath = nixStateDir + DEFAULT_SOCKET_PATH;
 
+    createDirs(dirOf(socketPath));
+
     struct sockaddr_un addr;
     addr.sun_family = AF_UNIX;
     if (socketPath.size() >= sizeof(addr.sun_path))
@@ -526,7 +528,8 @@ static void daemonLoop()
     unlink(socketPath.c_str());
 
     /* Make sure that the socket is created with 0666 permission
-       (everybody can connect). */
+       (everybody can connect --- provided they have access to the
+       directory containing the socket). */
     mode_t oldMode = umask(0111);
     int res = bind(fdSocket, (struct sockaddr *) &addr, sizeof(addr));
     umask(oldMode);