summary refs log tree commit diff
diff options
context:
space:
mode:
authorEelco Dolstra <e.dolstra@tudelft.nl>2004-10-31 17:08:48 +0000
committerEelco Dolstra <e.dolstra@tudelft.nl>2004-10-31 17:08:48 +0000
commitb05a596d61a5e062fc07380f8e6421fcfcb37f07 (patch)
treee49fc092d8de0345600e0c4e0f02d71d624aba45
parent0d80d237c5d817c60c420a8a7870e296f202c1b3 (diff)
downloadguix-b05a596d61a5e062fc07380f8e6421fcfcb37f07.tar.gz
* Document setuid Nix installs.
-rw-r--r--doc/manual/installation.xml51
-rw-r--r--doc/manual/schemas.xml2
2 files changed, 46 insertions, 7 deletions
diff --git a/doc/manual/installation.xml b/doc/manual/installation.xml
index 14cd55b632..15463a9b64 100644
--- a/doc/manual/installation.xml
+++ b/doc/manual/installation.xml
@@ -63,7 +63,11 @@ are included in the Nix source distribution.  If you build from the
 Subversion repository, you must download them yourself and place them
 in the <filename>externals/</filename> directory.  See
 <filename>externals/Makefile.am</filename> for the precise URLs of
-these packages.</para>
+these packages.  Alternatively, if you already have them installed,
+you can use <command>configure</command>'s <option>--with-bdb</option>
+and <option>--with-aterm</option> options to point to their respective
+locations.  Note that Berkeley DB <emphasis>must</emphasis> be version
+4.2; other versions may not have compatible database formats.</para>
 
 </sect1>
 
@@ -91,8 +95,7 @@ $ autoreconf -i</screen>
 <command>configure</command>.  The default installation directory is
 <filename>/nix</filename>.  You can change this to any location you
 like.  You must have write permission to the
-<replaceable>prefix</replaceable> path.
-    </para>
+<replaceable>prefix</replaceable> path.</para>
 
 <warning><para>It is advisable <emphasis>not</emphasis> to change the
 installation prefix from its default, since doing so will in all
@@ -123,7 +126,7 @@ based on <literal>glibc</literal> 2.3 or later.</para>
 <command>rpm -U</command>.  For example,</para>
 
 <screen>
-rpm -U nix-0.5pre664-1.i386.rpm</screen>
+$ rpm -U nix-0.5pre664-1.i386.rpm</screen>
 
 <para>The RPMs install into the directory <filename>/nix</filename>.
 Nix can be uninstalled using <command>rpm -e nix</command>.  After
@@ -131,8 +134,8 @@ this it will be necessary to manually remove the Nix store and other
 auxiliary data:</para>
 
 <screen>
-rm -rf /nix/store
-rm -rf /nix/var</screen>
+$ rm -rf /nix/store
+$ rm -rf /nix/var</screen>
 
 </sect1>
 
@@ -147,6 +150,42 @@ respectively).  When installed from the RPM packages, these
 directories are owned by <systemitem
 class='username'>root</systemitem>.</para>
 
+<sect2><title>Setuid installation</title>
+
+<para>As a somewhat <emphasis>ad hoc</emphasis> hack, you can also
+install the Nix binaries <quote>setuid</quote> so that a Nix store can
+be shared among several users.  To do this, configure Nix with the
+<emphasis>--enable-setuid</emphasis> option.  Nix will be installed as
+owned by a user and group specified by the
+<option>--with-nix-user=<parameter>user</parameter></option> and
+<option>--with-nix-group=<parameter>group</parameter></option>
+options.  E.g.,
+
+<screen>
+$ ./configure --enable-setuid --with-nix-user=my_nix_user --with-nix-group=my_nix_group</screen>
+
+The user and group default to <literal>nix</literal>.  You should make
+sure that both the user and the group exist.  Any <quote>real</quote>
+users that you want to allow access should be added to the Nix
+group.</para>
+
+<warning><para>A setuid installation should only by used if the users
+in the Nix group are mutually trusted, since any user in that group
+has the ability to change anything in the Nix store or database.  For
+instance, they could install a trojan horse in executables used by
+other users.</para></warning>
+
+<warning><para>On some platforms, the Nix binaries will be installed
+as setuid <literal>root</literal>.  They drop root privileges
+immediately after startup and switch to the Nix user.  The reason for
+this is that both the real and effective user must be set to the Nix
+user, and POSIX has no system call to do this.  This is not the case
+on systems that have the <function>setresuid()</function> system call
+(such as Linux and FreeBSD), so on those systems the binaries are
+simply owned by the Nix user.</para></warning>
+
+</sect2>
+
 </sect1>
 
 
diff --git a/doc/manual/schemas.xml b/doc/manual/schemas.xml
index 076f3a1415..691a517b9c 100644
--- a/doc/manual/schemas.xml
+++ b/doc/manual/schemas.xml
@@ -1,4 +1,4 @@
 <?xml version="1.0"?>
 <locatingRules xmlns="http://thaiopensource.com/ns/locating-rules/1.0">
-  <uri pathSuffix=".xml" typeId="DocBook"/>
+  <uri pattern="*.xml" typeId="DocBook"/>
 </locatingRules>