about summary refs log tree commit diff
path: root/src/libstore
diff options
context:
space:
mode:
authorEelco Dolstra <eelco.dolstra@logicblox.com>2014-07-17T14·57+0200
committerEelco Dolstra <eelco.dolstra@logicblox.com>2014-07-17T14·57+0200
commit049c0eb49c621ae50f49c8a06dc6c3a9839ef388 (patch)
tree63c0f299510adda0e21c7d323917eefcd5e1f6ce /src/libstore
parent0c730887c4ec4a03fb854490e422c134a1bf8139 (diff)
nix-daemon: Add trusted-users and allowed-users options
‘trusted-users’ is a list of users and groups that have elevated
rights, such as the ability to specify binary caches. It defaults to
‘root’. A typical value would be ‘@wheel’ to specify all users in the
wheel group.

‘allowed-users’ is a list of users and groups that are allowed to
connect to the daemon. It defaults to ‘*’. A typical value would be
‘@users’ to specify the ‘users’ group.
Diffstat (limited to 'src/libstore')
-rw-r--r--src/libstore/globals.cc4
-rw-r--r--src/libstore/globals.hh9
2 files changed, 13 insertions, 0 deletions
diff --git a/src/libstore/globals.cc b/src/libstore/globals.cc
index 60bc1dba13ff..2bfebb77a130 100644
--- a/src/libstore/globals.cc
+++ b/src/libstore/globals.cc
@@ -63,6 +63,8 @@ Settings::Settings()
     lockCPU = getEnv("NIX_AFFINITY_HACK", "1") == "1";
     showTrace = false;
     enableImportNative = false;
+    trustedUsers = Strings({"root"});
+    allowedUsers = Strings({"*"});
 }
 
 
@@ -152,6 +154,8 @@ void Settings::update()
     get(logServers, "log-servers");
     get(enableImportNative, "allow-unsafe-native-code-during-evaluation");
     get(useCaseHack, "use-case-hack");
+    get(trustedUsers, "trusted-users");
+    get(allowedUsers, "allowed-users");
 
     string subs = getEnv("NIX_SUBSTITUTERS", "default");
     if (subs == "default") {
diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh
index 8dd59a9c7967..f1748336fdac 100644
--- a/src/libstore/globals.hh
+++ b/src/libstore/globals.hh
@@ -203,6 +203,15 @@ struct Settings {
     /* Whether the importNative primop should be enabled */
     bool enableImportNative;
 
+    /* List of users that have elevated rights in the Nix daemon, such
+       as the ability to specify additional binary caches, or to
+       import unsigned NARs. */
+    Strings trustedUsers;
+
+    /* List of users that are allowed to connect to the daemon, in
+       addition to the trusted users. These have normal rights. */
+    Strings allowedUsers;
+
 private:
     SettingsMap settings, overrides;