New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
build: disallow root without build users #3415
base: master
Are you sure you want to change the base?
Conversation
related: nix-community#1 which makes root also use the daemon protocol when the nix-daemon is started |
What do you mean with validation? Allowing the user to disable build isolation is a legitimate use case, especially in containers. |
@edolstra I disagree with the premise that user separation is not important for containers. I would argue the opposite, being able to setup an environment needed to run a project including global files, users, etc. is exactly what containers are intended for. Another example of a project that completely refuses to run as root or setuid is postgresql, preventing users from shooting themselves in the foot with a setup that has horrible security implications. Regardless of whether it might be slightly less bad in certain contexts. |
@LnL7 The issues you linked to suggest that people really need this (or think they do...). I'm not saying user separation cannot be useful for containers. But generally a container should run a single service (and shouldn't have a writable Nix store). BTW, we also allow user separation to be disabled for non-root users (e.g. when you do |
@edolstra Yeah, I think this mainly stems from confusion about build user separation and the nix-daemon are separate things that don't depend on eachother. As for a regular single user install, yes it would be good to make that more clear. However unlike with root there are cases where not enough permissions are available. Sandboxing also plays a role in this ofcourse, if you feel strongly about it I could also include that in the condition. |
Maybe we should disable single-user installation for root and advise how to use multi-user installation correctly even the case when there's no need to run the daemon. |
I marked this as stale due to inactivity. → More info |
any update? |
I marked this as stale due to inactivity. → More info |
In any case, I think a good preperatory step would be making |
Marking as draft because it's old and there comments. |
Currently nix enforces build user separation for root by setting
build-users-group = nixbld
by default in this case. However there's no validation allowing the user to disable it. For nix-daemon specifically there used to be a check that ensured builds would not run as root, however that was also removed in 98968fb.A bunch of issues mention this bug as a "workaround" for root installations which is pretty
bad IMHO. And it looks like there are also things in nix that don't account for this behaviour, making it only partially functional.