Hi, Ludovic Courtès wrote:
> While going through the "Quick Start" Section of the manual, I was > surprised to see that, while `nix-channel --add' works without any > special privileges, `nix-channel --update' and `nix-env' require root > access. > > Are there any plans to allow per-user channel updates and package > installations, à la 0install? If so, are there plans to allow sharing > of channel manifests and installed packages among users of a machine? Nix-env certainly doesn't require root access, if Nix is configured in the right way. (And "the right way" isn't documented yet, but NixOS is set up that way - any user can install software. I'll update the manual for the Nix 0.11 release soon.) In principle nix-channel could also work per user - the only problem is that nix-channel does a nix-pull to get a list of pre-built binaries, and that's a privileged operation that only root can do. The reason for this is that otherwise a user could register some bogus binary that doesn't correspond to its purported derivation (the source build action from which the binary was supposedly produced). Building from source is safe because users cannot influence builds (they're executed under a different, unique uid). There is a paper about the Nix security model: http://people.cs.uu.nl/eelco/pubs/secsharing-ase2005-final.pdf The current model is described in section 3. The rest of the paper describes an approach which would allow unprivileged users to do nix-pulls, but that model is not implemented in the Nix trunk yet (though there is a branch that does it: https://svn.cs.uu.nl:12443/repos/trace/nix/branches/secure/). Anyway, it would be very simply to make nix-channel check whether it has write permission to /nix/var/nix/manifests, and if not, skip the nix-pull. Users would still get downloads of prebuilt binaries for store paths that are in channels subscribed to by root. -- Eelco Dolstra | http://www.cs.uu.nl/~eelco _______________________________________________ nix-dev mailing list [email protected] https://mail.cs.uu.nl/mailman/listinfo/nix-dev
