Running the Nix daemon (nearly) rootless

Cite

NixCon

Hufschmitt, Théophane

Formal Metadata

Title

Running the Nix daemon (nearly) rootless

Title of Series

NixCon 2022

Number of Parts

Author

Hufschmitt, Théophane

License

CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.

Identifiers

10.5446/61038 (DOI)

Publisher

NixCon

Release Date

2022

Language

English

Content Metadata

Subject Area

Computer Science

Genre

Conference/Talk

Abstract

Making Nix follow the principle of least privilege by removing as much as possible the need to it to run as root In multi-user mode, the Nix daemon is expected to run as root. This is quite annoying from a security point of view as the Nix codebase is (somewhat) large and not properly audited. Because of that it is also an adoption blocker in some places. I turns out that there's very few places where Nix actually needs to be root, and we can remove or isolate these, as done in https://github.com/NixOS/nix/pull/5380.