I am investigating a solution to provide some remote builder services. The idea is that I want to provide the following services:
- a shared nix store
- a shared remote ssh builder, which can be used in
nix --builders ssh://my-user@my-hostflag by my users, then the built closure is uploaded to the shared nix store
So that users can avoid rebuilding a nix package if someone else occasionally triggers a build for the same derivation input.
Because the remote builder is shared between users, I definitely don’t want a derivation affects other derivations even if any of them includes malicious code.
According to Multi-User Mode:
If they could do so, they could install a Trojan horse in some package and compromise the accounts of other users.
To prevent this, the Nix store and database are owned by some privileged user (usuallyroot) and builders are executed under special user accounts (usually namednixbld1,nixbld2, etc.).
It seems that multi-user mode could prevent Trojan horses from affecting other users, but I don’t know how to achieve the goal. Questions in my mind include:
- How to minimize the permission for
my-userso that it cannot do anything but trigger the Nix daemon to run a derivation? - What if a user passes a derivation to run the shell script
rm -rf /nix/storeto the remote builder? Would it destroy the shared nix store? - Do I need to enforce sandboxing mode?