Re: [Nix-dev] Is it possible to limit nix access to sudoers and/or a group?
> I'd like to build a system where regular users cannot access nix > commands, daemon, etc. Look for the 'allowed-users' option in the nix.conf(5) man page. That should do what you want. Best regards, Peter ___ nix-dev mailing list nix-dev@lists.science.uu.nl https://mailman.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Is it possible to limit nix access to sudoers and/or a group?
Oh, I had in mind https://github.com/NixOS/nix/issues/8 I do Nix builds of some private packages. The source for builds is fetched from private repo, ofc. But nix store is a public place, and my private sources become public. 2017-01-20 13:46 GMT+02:00 Profpatsch : > On 17-01-20 10:59am, Danylo Hlynskyi wrote: > > Nix design doesn't support quotas on filled store per-user, and let's not > > forget #8. > > https://github.com/NixOS/nixpkgs/pull/8 ? > > That looks unrelated. > > -- > Proudly written in Mutt with Vim on NixOS. > Q: Why is this email five sentences or less? > A: http://five.sentenc.es > May take up to five days to read your message. If it’s urgent, call me. > ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Is it possible to limit nix access to sudoers and/or a group?
On 20/01/17 12:46, Profpatsch wrote: On 17-01-20 10:59am, Danylo Hlynskyi wrote: Nix design doesn't support quotas on filled store per-user, and let's not forget #8. https://github.com/NixOS/nixpkgs/pull/8 ? That looks unrelated. Rather https://github.com/NixOS/nix/issues/8 I would say. ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Is it possible to limit nix access to sudoers and/or a group?
Hi, On 01/20/2017 01:25 PM, Tomasz Czyż wrote: > So obvious :-) > > Eelco, is that the case with NixOS only or that works also when you install > Nix > as regular user, let's say on Ubuntu? It works in any multi-user Nix setup, i.e. when using nix-daemon. Note however that the Nix install script at http://nixos.org/nix/install only does a single-user install at the moment. -- Eelco Dolstra | LogicBlox, Inc. | http://nixos.org/~eelco/ ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Is it possible to limit nix access to sudoers and/or a group?
So obvious :-) Eelco, is that the case with NixOS only or that works also when you install Nix as regular user, let's say on Ubuntu? 2017-01-20 12:07 GMT+00:00 Eelco Dolstra : > Hi, > > On 01/20/2017 03:15 AM, Mateusz Czaplinski wrote: > > > I'd like to build a system where regular users cannot access nix > > commands, daemon, etc. Ideally, only users belonging to a particular > > group could access those. (Probably worse solution, but still > > acceptable, if this was limited to sudoers only.) > > > > Is it possible? If yes, how to do that on NixOS? > > Yes, by setting allowed-users in nix.conf, or nix.allowedUsers in the NixOS > configuration, e.g. > > nix.allowedUsers = [ "@wheel" ]; > > The default is "*". I've been thinking that it might be good to tighten > this to > something like [ "root" "@users" ], to disallow (say) system daemons. > > -- > Eelco Dolstra | LogicBlox, Inc. | http://nixos.org/~eelco/ > ___ > nix-dev mailing list > nix-dev@lists.science.uu.nl > http://lists.science.uu.nl/mailman/listinfo/nix-dev > -- Tomasz Czyż ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Is it possible to limit nix access to sudoers and/or a group?
Hi, On 01/20/2017 03:15 AM, Mateusz Czaplinski wrote: > I'd like to build a system where regular users cannot access nix > commands, daemon, etc. Ideally, only users belonging to a particular > group could access those. (Probably worse solution, but still > acceptable, if this was limited to sudoers only.) > > Is it possible? If yes, how to do that on NixOS? Yes, by setting allowed-users in nix.conf, or nix.allowedUsers in the NixOS configuration, e.g. nix.allowedUsers = [ "@wheel" ]; The default is "*". I've been thinking that it might be good to tighten this to something like [ "root" "@users" ], to disallow (say) system daemons. -- Eelco Dolstra | LogicBlox, Inc. | http://nixos.org/~eelco/ ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Is it possible to limit nix access to sudoers and/or a group?
On 17-01-20 10:59am, Danylo Hlynskyi wrote: > Nix design doesn't support quotas on filled store per-user, and let's not > forget #8. https://github.com/NixOS/nixpkgs/pull/8 ? That looks unrelated. -- Proudly written in Mutt with Vim on NixOS. Q: Why is this email five sentences or less? A: http://five.sentenc.es May take up to five days to read your message. If it’s urgent, call me. ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Is it possible to limit nix access to sudoers and/or a group?
Nix design doesn't support quotas on filled store per-user, and let's not forget #8. 2017-01-20 5:36 GMT+02:00 Tomasz Czyż : > It's probably against nix design but let's try. > > Just an idea (haven't tried yet). Install nix as NIXUSER (without the > deamon, just nix to run builds). Other users can access paths, build by nix > from /nix/store but they won't access nix as it belongs to NIXUSER. > > But they probably can access nix at any point at this stage (or maybe they > need sudo to be added to a group, not sure). > > > > > 2017-01-20 2:15 GMT+00:00 Mateusz Czaplinski : > >> I'd like to build a system where regular users cannot access nix >> commands, daemon, etc. Ideally, only users belonging to a particular >> group could access those. (Probably worse solution, but still >> acceptable, if this was limited to sudoers only.) >> >> Is it possible? If yes, how to do that on NixOS? >> >> Thanks & Best Regards, >> /Mateusz. >> ___ >> nix-dev mailing list >> nix-dev@lists.science.uu.nl >> http://lists.science.uu.nl/mailman/listinfo/nix-dev >> > > > > -- > Tomasz Czyż > > ___ > nix-dev mailing list > nix-dev@lists.science.uu.nl > http://lists.science.uu.nl/mailman/listinfo/nix-dev > > ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Is it possible to limit nix access to sudoers and/or a group?
This is a good question because installing packages can be used as a DOS attack. I wonder if it would be easy to make a patch to change the file permissions on the Nix daemon and other services that write to the Nix store. On Jan 20, 2017 02:15, "Mateusz Czaplinski" wrote: > I'd like to build a system where regular users cannot access nix > commands, daemon, etc. Ideally, only users belonging to a particular > group could access those. (Probably worse solution, but still > acceptable, if this was limited to sudoers only.) > > Is it possible? If yes, how to do that on NixOS? > > Thanks & Best Regards, > /Mateusz. > ___ > nix-dev mailing list > nix-dev@lists.science.uu.nl > http://lists.science.uu.nl/mailman/listinfo/nix-dev > ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Is it possible to limit nix access to sudoers and/or a group?
It's probably against nix design but let's try. Just an idea (haven't tried yet). Install nix as NIXUSER (without the deamon, just nix to run builds). Other users can access paths, build by nix from /nix/store but they won't access nix as it belongs to NIXUSER. But they probably can access nix at any point at this stage (or maybe they need sudo to be added to a group, not sure). 2017-01-20 2:15 GMT+00:00 Mateusz Czaplinski : > I'd like to build a system where regular users cannot access nix > commands, daemon, etc. Ideally, only users belonging to a particular > group could access those. (Probably worse solution, but still > acceptable, if this was limited to sudoers only.) > > Is it possible? If yes, how to do that on NixOS? > > Thanks & Best Regards, > /Mateusz. > ___ > nix-dev mailing list > nix-dev@lists.science.uu.nl > http://lists.science.uu.nl/mailman/listinfo/nix-dev > -- Tomasz Czyż ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
[Nix-dev] Is it possible to limit nix access to sudoers and/or a group?
I'd like to build a system where regular users cannot access nix commands, daemon, etc. Ideally, only users belonging to a particular group could access those. (Probably worse solution, but still acceptable, if this was limited to sudoers only.) Is it possible? If yes, how to do that on NixOS? Thanks & Best Regards, /Mateusz. ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev