[Nix-dev] NixOS issue: Passwords and Nix store
Nicolas Pierron
nicolas.b.pierron at gmail.com
Sun Jun 12 12:34:01 CEST 2011
On Sat, Jun 11, 2011 at 15:55, Marc Weber <marco-oweber at gmx.de> wrote:
> I'm not sure I was able to follow you.
>
> Having a private database would be fun - cause you can change passwords
> without recompiling anything.. However this probably means you have to
> patch all applications?
The idea was to use the database to transcribe store files into static
files. Applications would then rely on these static files.
>
> passwords in store and restricting access:
> think about henry and sally choosing the same password by accident...
>
> Now the trouble starts:
> - one can notice that a derivation won't be built - thus he / she knows
> that another user is using the same password
> - user id's would not work - cause many users should be able to
> use the same { pwd = "same-password"} derivation. ACL's would be a
> way. This building a derivation which already exists would mean adding
> access rights for a user.
>
> Which use cases are bothering you making you think about this issue?
Last one was UPS configuration files. Multiples configuration files
are relying on each others, one declare the UPS, the other declare the
access rules (with plain text passwords), and the last one declare
local/remote UPS to be monitored with a user (master, slave, ...) and
a password.
My point is that you cannot rely on NixOS for such problem because you
cannot handle passwords without adding a lot of tricks which would
make the Nix expression difficult to understand/maintain. That's why
I raised this topic to choose one good manner for handling this
problem.
--
Nicolas Pierron
http://www.linkedin.com/in/nicolasbpierron - http://nbp.name/
More information about the nix-dev
mailing list