From 049c0eb49c621ae50f49c8a06dc6c3a9839ef388 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Thu, 17 Jul 2014 16:57:07 +0200 Subject: nix-daemon: Add trusted-users and allowed-users options MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ‘trusted-users’ is a list of users and groups that have elevated rights, such as the ability to specify binary caches. It defaults to ‘root’. A typical value would be ‘@wheel’ to specify all users in the wheel group. ‘allowed-users’ is a list of users and groups that are allowed to connect to the daemon. It defaults to ‘*’. A typical value would be ‘@users’ to specify the ‘users’ group. --- doc/manual/conf-file.xml | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) (limited to 'doc') diff --git a/doc/manual/conf-file.xml b/doc/manual/conf-file.xml index 29f7f9c51aea..6af4c776548d 100644 --- a/doc/manual/conf-file.xml +++ b/doc/manual/conf-file.xml @@ -479,6 +479,48 @@ flag, e.g. --option gc-keep-outputs false. + trusted-users + + + + A list of names of users (separated by whitespace) that + have additional rights when connecting to the Nix daemon, such + as the ability to specify additional binary caches, or to import + unsigned NARs. You can also specify groups by prefixing them + with @; for instance, + @wheel means all users in the + wheel group. The default is + root. + + The users listed here have the ability to + compromise the security of a multi-user Nix store. For instance, + they could install Trojan horses subsequently executed by other + users. So you should consider carefully whether to add users to + this list. + + + + + + + allowed-users + + + + A list of names of users (separated by whitespace) that + are allowed to connect to the Nix daemon. As with the + option, you can specify groups by + prefixing them with @. Also, you can allow + all users by specifying *. The default is + *. + + Note that trusted users are always allowed to connect. + + + + + + -- cgit 1.4.1