diff options
author | Eelco Dolstra <e.dolstra@tudelft.nl> | 2006-12-03 15:32:38 +0000 |
---|---|---|
committer | Eelco Dolstra <e.dolstra@tudelft.nl> | 2006-12-03 15:32:38 +0000 |
commit | 35247c4c9f55fd49d8838b0df963016fdcde0420 (patch) | |
tree | a8d04945b60a28bb8fb9b6ff5b3f72d04e85f639 /nix.conf.example | |
parent | 84d6459bd5a0820729c57d710f886af6f423259b (diff) | |
download | guix-35247c4c9f55fd49d8838b0df963016fdcde0420.tar.gz |
* Removed `build-allow-root'.
* Added `build-users-group', the group under which builds are to be performed. * Check that /nix/store has 1775 permission and is owner by the build-users-group.
Diffstat (limited to 'nix.conf.example')
-rw-r--r-- | nix.conf.example | 45 |
1 files changed, 27 insertions, 18 deletions
diff --git a/nix.conf.example b/nix.conf.example index 47973ce4e7..a75045b148 100644 --- a/nix.conf.example +++ b/nix.conf.example @@ -78,37 +78,46 @@ #build-max-jobs = 1 -### Option `build-allow-root' -# -# This option controls Nix's behaviour when it is invoked under the -# `root' user (or setuid-root). If `true' (default), builds are -# performed under the `root' user. If `false', builds are performed -# under one of the users listed in the `build-users' option (see -# below). -#build-allow-root = true - - ### Option `build-users' # -# This option is only applicable if `build-allow-root' is `false' and -# Nix is invoked under the `root' user (or setuid-root). It contains -# a list of user names under which Nix can execute builds. Builds -# cannot be performed by root since that would allow users to take -# over the system by supplying specially crafted builders; and they -# cannot be performed by the calling user since that would allow -# him/her to influence the build result. +# This option contains a list of user names under which Nix can +# execute builds. In multi-user Nix installations, builds should not +# be performed by the Nix account since that would allow users to +# arbitrarily modify the Nix store and database by supplying specially +# crafted builders; and they cannot be performed by the calling user +# since that would allow him/her to influence the build result. # # Thus this list should contain a number of `special' user accounts # created specifically for Nix, e.g., `nix-builder-1', # `nix-builder-2', and so on. The more users the better, since at # most a number of builds equal to the number of build users can be -# started. +# running simultaneously. +# +# If this list is empty, builds will be performed under the Nix +# account (that is, the uid under which the Nix daemon runs, or that +# owns the setuid nix-worker program). # # Example: # build-users = nix-builder-1 nix-builder-2 nix-builder-3 #build-users = +### Option `build-users-group' +# +# If `build-users' is used, then this option specifies the group ID +# (gid) under which each build is to be performed. This group should +# have permission to create files in the Nix store, but not delete +# them. I.e., /nix/store should be owned by the Nix account, its +# group should be the group specified here, and its mode should be +# 1775. +# +# The default is `nix'. +# +# Example: +# build-users-group = nix +#build-users-group = + + ### Option `system' # # This option specifies the canonical Nix system name of the current |