summary refs log tree commit diff
path: root/nix.conf.example
diff options
context:
space:
mode:
authorEelco Dolstra <e.dolstra@tudelft.nl>2006-12-03 15:32:38 +0000
committerEelco Dolstra <e.dolstra@tudelft.nl>2006-12-03 15:32:38 +0000
commit35247c4c9f55fd49d8838b0df963016fdcde0420 (patch)
treea8d04945b60a28bb8fb9b6ff5b3f72d04e85f639 /nix.conf.example
parent84d6459bd5a0820729c57d710f886af6f423259b (diff)
downloadguix-35247c4c9f55fd49d8838b0df963016fdcde0420.tar.gz
* Removed `build-allow-root'.
* Added `build-users-group', the group under which builds are to be
  performed.
* Check that /nix/store has 1775 permission and is owner by the
  build-users-group.

Diffstat (limited to 'nix.conf.example')
-rw-r--r--nix.conf.example45
1 files changed, 27 insertions, 18 deletions
diff --git a/nix.conf.example b/nix.conf.example
index 47973ce4e7..a75045b148 100644
--- a/nix.conf.example
+++ b/nix.conf.example
@@ -78,37 +78,46 @@
 #build-max-jobs = 1
 
 
-### Option `build-allow-root'
-#
-# This option controls Nix's behaviour when it is invoked under the
-# `root' user (or setuid-root).  If `true' (default), builds are
-# performed under the `root' user.  If `false', builds are performed
-# under one of the users listed in the `build-users' option (see
-# below).
-#build-allow-root = true
-
-
 ### Option `build-users'
 #
-# This option is only applicable if `build-allow-root' is `false' and
-# Nix is invoked under the `root' user (or setuid-root).  It contains
-# a list of user names under which Nix can execute builds.  Builds
-# cannot be performed by root since that would allow users to take
-# over the system by supplying specially crafted builders; and they
-# cannot be performed by the calling user since that would allow
-# him/her to influence the build result.
+# This option contains a list of user names under which Nix can
+# execute builds.  In multi-user Nix installations, builds should not
+# be performed by the Nix account since that would allow users to
+# arbitrarily modify the Nix store and database by supplying specially
+# crafted builders; and they cannot be performed by the calling user
+# since that would allow him/her to influence the build result.
 #
 # Thus this list should contain a number of `special' user accounts
 # created specifically for Nix, e.g., `nix-builder-1',
 # `nix-builder-2', and so on.  The more users the better, since at
 # most a number of builds equal to the number of build users can be
-# started.
+# running simultaneously.
+#
+# If this list is empty, builds will be performed under the Nix
+# account (that is, the uid under which the Nix daemon runs, or that
+# owns the setuid nix-worker program).
 #
 # Example:
 #   build-users = nix-builder-1 nix-builder-2 nix-builder-3
 #build-users =
 
 
+### Option `build-users-group'
+#
+# If `build-users' is used, then this option specifies the group ID
+# (gid) under which each build is to be performed.  This group should
+# have permission to create files in the Nix store, but not delete
+# them.  I.e., /nix/store should be owned by the Nix account, its
+# group should be the group specified here, and its mode should be
+# 1775.
+#
+# The default is `nix'.
+#
+# Example:
+#   build-users-group = nix
+#build-users-group =
+
+
 ### Option `system'
 #
 # This option specifies the canonical Nix system name of the current