Multi-User Mode

To allow a Nix store to be shared safely among multiple users, it isimportant that users are not able to run builders that modify the Nixstore or database in arbitrary ways, or that interfere with buildsstarted by other users. If they could do so, they could install a Trojanhorse in some package and compromise the accounts of other users.

To prevent this, the Nix store and database are owned by some privilegeduser (usuallyroot) and builders are executed under special useraccounts (usually namednixbld1,nixbld2, etc.). When a unprivilegeduser runs a Nix command, actions that operate on the Nix store (such asbuilds) are forwarded to aNix daemon running under the owner of theNix store/database that performs the operation.

Note

Multi-user mode has one important limitation: only root and a set oftrusted users specified innix.conf can specify arbitrary binarycaches. So while unprivileged users may install packages fromarbitrary Nix expressions, they may not get pre-built binaries.

Setting up the build users

Thebuild users are the special UIDs under which builds are performed.They should all be members of thebuild users groupnixbld. Thisgroup should have no other members. The build users should not bemembers of any other group. On Linux, you can create the group and usersas follows:

$ groupadd -r nixbld$ for n in $(seq 1 10); do useradd -c "Nix build user $n" \    -d /var/empty -g nixbld -G nixbld -M -N -r -s "$(which nologin)" \    nixbld$n; done

This creates 10 build users. There can never be more concurrent buildsthan the number of build users, so you may want to increase this if youexpect to do many builds at the same time.

Running the daemon

TheNix daemon should be started asfollows (asroot):

$ nix-daemon

You’ll want to put that line somewhere in your system’s boot scripts.

To let unprivileged users use the daemon, they should set theNIX_REMOTE environment variable todaemon. So you should put a line like

export NIX_REMOTE=daemon

into the users’ login scripts.

Restricting access

To limit which users can perform Nix operations, you can use thepermissions on the directory/nix/var/nix/daemon-socket. For instance,if you want to restrict the use of Nix to the members of a group callednix-users, do

$ chgrp nix-users /nix/var/nix/daemon-socket$ chmod ug=rwx,o= /nix/var/nix/daemon-socket

This way, users who are not in thenix-users group cannot connect tothe Unix domain socket/nix/var/nix/daemon-socket/socket, so theycannot perform Nix operations.