From 765bdfe542d3250329dea98b69db2271419f31b6 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Thu, 30 Nov 2006 19:54:43 +0000 Subject: * When NIX_REMOTE is set to "slave", fork off nix-worker in slave mode. Presumably nix-worker would be setuid to the Nix store user. The worker performs all operations on the Nix store and database, so the caller can be completely unprivileged. This is already much more secure than the old setuid scheme, since the worker doesn't need to do Nix expression evaluation and so on. Most importantly, this means that it doesn't need to access any user files, with all resulting security risks; it only performs pure store operations. Once this works, it is easy to move to a daemon model that forks off a worker for connections established through a Unix domain socket. That would be even more secure. --- src/libstore/remote-store.hh | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'src/libstore/remote-store.hh') diff --git a/src/libstore/remote-store.hh b/src/libstore/remote-store.hh index 8ebe5e397e20..da6911cf4fa2 100644 --- a/src/libstore/remote-store.hh +++ b/src/libstore/remote-store.hh @@ -9,6 +9,12 @@ namespace nix { +class Pipe; +class Pid; +struct FdSink; +struct FdSource; + + class RemoteStore : public StoreAPI { public: @@ -44,6 +50,11 @@ public: void ensurePath(const Path & storePath); private: + Pipe toChild; + Pipe fromChild; + FdSink to; + FdSource from; + Pid child; }; -- cgit 1.4.1