From 2d35116c13e0c11210cb712f9ce6e8a38058f350 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Fri, 20 Aug 2004 14:49:05 +0000 Subject: * Setuid support for sharing a Nix installation between multiple users. If the configure flag `--enable-setuid' is used, the Nix programs nix-env, nix-store, etc. are installed with the setuid bit turned on so that they are executed as the user and group specified by `--with-nix-user=USER' and `--with-nix-group=GROUP', respectively (with defaults `nix' and `nix'). The setuid programs drop all special privileges if they are executed by a user who is not a member of the Nix group. The setuid feature is a quick hack to enable sharing of a Nix installation between users who trust each other. It is not generally secure, since any user in the Nix group can modify (by building an appropriate derivation) any object in the store, and for instance inject trojans into binaries used by other users. The setuid programs are owned by root, not the Nix user. This is because on Unix normal users cannot change the real uid, only the effective uid. Many programs don't work properly when the real uid differs from the effective uid. For instance, Perl will turn on taint mode. However, the setuid programs drop all root privileges immediately, changing all uids and gids to the Nix user and group. --- scripts/nix-push.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'scripts') diff --git a/scripts/nix-push.in b/scripts/nix-push.in index 84330016f310..fc44d02c6cba 100644 --- a/scripts/nix-push.in +++ b/scripts/nix-push.in @@ -92,7 +92,7 @@ while (scalar @tmp > 0) { my @tmp2 = @tmp[0..$n - 1]; @tmp = @tmp[$n..scalar @tmp - 1]; - system "@bindir@/nix-store --realise -B @tmp2 > /dev/null"; + system "@bindir@/nix-store --realise @tmp2 > /dev/null"; if ($?) { die "`nix-store --realise' failed"; } open NARPATHS, "@bindir@/nix-store --query --list @tmp2 |" or die "cannot run nix"; -- cgit 1.4.1