If I add users will people be able to see the names of the users without physical access to the machine if I’m using nix-serve and it’s publicly available?
Users are in the store; run grep -m1 -o '[^ ]*users-groups\.json' /run/current-system/activate to see the location.
But I believe an adversary would have to know or guess the hash of that file, or of something that uses it like your activation script, to read it over nix-serve. You can see the source of nix-serve and confirm that it doesn’t have any list-all-store-contents capabilities.
So I guess it’s not possible to publicly serve your Nix store without giving away the usernames and names of all the users.
Depends on your level of paranoia. If I point you at my publicly-served Nix store, you’d have to find some other vulnerability through which to get the hash of my users-groups.json file before you could exfiltrate that file though nix-serve. If you do that through something that can read /run, that exploit might be able to read /nix/store too, making the nix-serve step unnecessary. If you do that by DOSing my server with guesses, the 404s in my access log will result in you getting fail2banned first. So it’s not exactly the case that nix-serve gives anything away.
But defense in depth and all; it is a potential entry point if you have some way of getting the hash, and for some threat models that’s enough to lock it away.
1 Like