nix-daemon: Add trusted-users and allowed-users options

‘trusted-users’ is a list of users and groups that have elevated rights, such as the ability to specify binary caches. It defaults to ‘root’. A typical value would be ‘@wheel’ to specify all users in the wheel group. ‘allowed-users’ is a list of users and groups that are allowed to connect to the daemon. It defaults to ‘*’. A typical value would be ‘@users’ to specify the ‘users’ group.
2014-07-17 16:57:07 +02:00 · 2014-07-17 16:57:07 +02:00 · 049c0eb49c
commit 049c0eb49c
parent 0c730887c4
4 changed files with 90 additions and 3 deletions
--- a/src/libstore/globals.cc
+++ b/src/libstore/globals.cc
@ -63,6 +63,8 @@ Settings::Settings()
    lockCPU = getEnv("NIX_AFFINITY_HACK", "1") == "1";
    showTrace = false;
    enableImportNative = false;
+    trustedUsers = Strings({"root"});
+    allowedUsers = Strings({"*"});
 }


@ -152,6 +154,8 @@ void Settings::update()
    get(logServers, "log-servers");
    get(enableImportNative, "allow-unsafe-native-code-during-evaluation");
    get(useCaseHack, "use-case-hack");
+    get(trustedUsers, "trusted-users");
+    get(allowedUsers, "allowed-users");

    string subs = getEnv("NIX_SUBSTITUTERS", "default");
    if (subs == "default") {
--- a/src/libstore/globals.hh
+++ b/src/libstore/globals.hh
@ -203,6 +203,15 @@ struct Settings {
    /* Whether the importNative primop should be enabled */
    bool enableImportNative;

+    /* List of users that have elevated rights in the Nix daemon, such
+       as the ability to specify additional binary caches, or to
+       import unsigned NARs. */
+    Strings trustedUsers;
+
+    /* List of users that are allowed to connect to the daemon, in
+       addition to the trusted users. These have normal rights. */
+    Strings allowedUsers;
+
 private:
    SettingsMap settings, overrides;