nixos/rfcs
1
0
Fork 0
mirror of https://github.com/NixOS/rfcs.git synced 2025-11-08 11:36:12 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
rfcs/rfcs/0097-no-read-store-dir.md
ash d5a5aa7548
Fix invalid YAML formatting (#187)
2025-05-11 20:32:37 +02:00

3.2 KiB
Raw Blame History

feature start-date author co-authors shepherd-team shepherd-leader related-issues
nix-store-perms 2021-07-04 Las Safin @kevincox @7c6f434c @edolstra @edolstra

Summary

  • NixOS should have a module for configuring the permissions set for /nix/store on boot.
  • Nix should not enforce the permissions used for /nix/store.
  • The default permissions if the store doesn't exist should be 1735 when the store is made by Nix or the NixOS installer. This means that the nixbld group can't ls the directory.

Motivation

Right now you can't set the permissions for /nix/store, since they'll be overwritten by Nix anytime you use nix.

chmod g-r /nix/store is beneficial because the nixbld group doesn't actually need to read the directory. It only needs to be able to write and "execute" it. This, however, should be optional, since the user should be able to configure the permissions however they want.

Some users might also want to do things like chmod o-r /nix/store, which gives you the interesting property that you can not access paths you do not already know of. Do note that given that all processes can by default read /proc/cmdline, /run/current-system, and many other places which reveal your system's closure, making this permission change an insufficient solution for security in many cases. This, however, is also entirely optional and is not the default in any way.

Detailed design

Where we previously would enforce the permissions, we now need to only set them if there is no directory in the first place. The same applies for /nix/store/trash and /nix/store/.links.

Specifically, we need to modify the following places (not exhaustive):

Examples and Interactions

You should be able to do something like the following:

nix.store-perms = "xxxx";

Drawbacks

If a user on a non-NixOS platform mistakenly sets the permissions for /nix/store to something undesirable, it won't be reverted by Nix automatically.

Alternatives

You could not do this and keep it as it is.

Unresolved questions

There doesn't seem to be any.

Future work

In the future we likely want to reduce the default permissions for /nix/store as much as possible.