[Nix-dev] Per-user package installations

[Eelco Dolstra]

Hi,

Ludovic Courtès wrote:

> While going through the "Quick Start" Section of the manual, I was
> surprised to see that, while `nix-channel --add' works without any
> special privileges, `nix-channel --update' and `nix-env' require root
> access.
> 
> Are there any plans to allow per-user channel updates and package
> installations, à la 0install?  If so, are there plans to allow sharing
> of channel manifests and installed packages among users of a machine?

Nix-env certainly doesn't require root access, if Nix is configured in the right
way.  (And "the right way" isn't documented yet, but NixOS is set up that way -
any user can install software.  I'll update the manual for the Nix 0.11 release
soon.)

In principle nix-channel could also work per user - the only problem is that
nix-channel does a nix-pull to get a list of pre-built binaries, and that's a
privileged operation that only root can do.  The reason for this is that
otherwise a user could register some bogus binary that doesn't correspond to its
purported derivation (the source build action from which the binary was
supposedly produced).  Building from source is safe because users cannot
influence builds (they're executed under a different, unique uid).

There is a paper about the Nix security model:

  http://people.cs.uu.nl/eelco/pubs/secsharing-ase2005-final.pdf

The current model is described in section 3.  The rest of the paper describes an
approach which would allow unprivileged users to do nix-pulls, but that model is
not implemented in the Nix trunk yet (though there is a branch that does it:
https://svn.cs.uu.nl:12443/repos/trace/nix/branches/secure/).

Anyway, it would be very simply to make nix-channel check whether it has write
permission to /nix/var/nix/manifests, and if not, skip the nix-pull.  Users
would still get downloads of prebuilt binaries for store paths that are in
channels subscribed to by root.

-- 
Eelco Dolstra | http://www.cs.uu.nl/~eelco