* Document setuid Nix installs.

This commit is contained in:
Eelco Dolstra 2004-10-31 17:08:48 +00:00
parent 0d80d237c5
commit b05a596d61
2 changed files with 46 additions and 7 deletions

View file

@ -63,7 +63,11 @@ are included in the Nix source distribution. If you build from the
Subversion repository, you must download them yourself and place them Subversion repository, you must download them yourself and place them
in the <filename>externals/</filename> directory. See in the <filename>externals/</filename> directory. See
<filename>externals/Makefile.am</filename> for the precise URLs of <filename>externals/Makefile.am</filename> for the precise URLs of
these packages.</para> these packages. Alternatively, if you already have them installed,
you can use <command>configure</command>'s <option>--with-bdb</option>
and <option>--with-aterm</option> options to point to their respective
locations. Note that Berkeley DB <emphasis>must</emphasis> be version
4.2; other versions may not have compatible database formats.</para>
</sect1> </sect1>
@ -91,8 +95,7 @@ $ autoreconf -i</screen>
<command>configure</command>. The default installation directory is <command>configure</command>. The default installation directory is
<filename>/nix</filename>. You can change this to any location you <filename>/nix</filename>. You can change this to any location you
like. You must have write permission to the like. You must have write permission to the
<replaceable>prefix</replaceable> path. <replaceable>prefix</replaceable> path.</para>
</para>
<warning><para>It is advisable <emphasis>not</emphasis> to change the <warning><para>It is advisable <emphasis>not</emphasis> to change the
installation prefix from its default, since doing so will in all installation prefix from its default, since doing so will in all
@ -123,7 +126,7 @@ based on <literal>glibc</literal> 2.3 or later.</para>
<command>rpm -U</command>. For example,</para> <command>rpm -U</command>. For example,</para>
<screen> <screen>
rpm -U nix-0.5pre664-1.i386.rpm</screen> $ rpm -U nix-0.5pre664-1.i386.rpm</screen>
<para>The RPMs install into the directory <filename>/nix</filename>. <para>The RPMs install into the directory <filename>/nix</filename>.
Nix can be uninstalled using <command>rpm -e nix</command>. After Nix can be uninstalled using <command>rpm -e nix</command>. After
@ -131,8 +134,8 @@ this it will be necessary to manually remove the Nix store and other
auxiliary data:</para> auxiliary data:</para>
<screen> <screen>
rm -rf /nix/store $ rm -rf /nix/store
rm -rf /nix/var</screen> $ rm -rf /nix/var</screen>
</sect1> </sect1>
@ -147,6 +150,42 @@ respectively). When installed from the RPM packages, these
directories are owned by <systemitem directories are owned by <systemitem
class='username'>root</systemitem>.</para> class='username'>root</systemitem>.</para>
<sect2><title>Setuid installation</title>
<para>As a somewhat <emphasis>ad hoc</emphasis> hack, you can also
install the Nix binaries <quote>setuid</quote> so that a Nix store can
be shared among several users. To do this, configure Nix with the
<emphasis>--enable-setuid</emphasis> option. Nix will be installed as
owned by a user and group specified by the
<option>--with-nix-user=<parameter>user</parameter></option> and
<option>--with-nix-group=<parameter>group</parameter></option>
options. E.g.,
<screen>
$ ./configure --enable-setuid --with-nix-user=my_nix_user --with-nix-group=my_nix_group</screen>
The user and group default to <literal>nix</literal>. You should make
sure that both the user and the group exist. Any <quote>real</quote>
users that you want to allow access should be added to the Nix
group.</para>
<warning><para>A setuid installation should only by used if the users
in the Nix group are mutually trusted, since any user in that group
has the ability to change anything in the Nix store or database. For
instance, they could install a trojan horse in executables used by
other users.</para></warning>
<warning><para>On some platforms, the Nix binaries will be installed
as setuid <literal>root</literal>. They drop root privileges
immediately after startup and switch to the Nix user. The reason for
this is that both the real and effective user must be set to the Nix
user, and POSIX has no system call to do this. This is not the case
on systems that have the <function>setresuid()</function> system call
(such as Linux and FreeBSD), so on those systems the binaries are
simply owned by the Nix user.</para></warning>
</sect2>
</sect1> </sect1>

View file

@ -1,4 +1,4 @@
<?xml version="1.0"?> <?xml version="1.0"?>
<locatingRules xmlns="http://thaiopensource.com/ns/locating-rules/1.0"> <locatingRules xmlns="http://thaiopensource.com/ns/locating-rules/1.0">
<uri pathSuffix=".xml" typeId="DocBook"/> <uri pattern="*.xml" typeId="DocBook"/>
</locatingRules> </locatingRules>