Nix remote builder hardening

I have a Hetzner machine with 24 cores and want to share it with semi-trusted users as a remote nix build server.

Has anyone done some work to restrict the user access to only the nix daemon? I don’t want the user to run arbitrary commands after accessing the account over SSH.

2 Likes

I have a Hetzner machine with 24 cores and want to share it with semi-trusted users as a remote nix build server.

Has anyone done some work to restrict the user access to only the nix daemon? I don’t want the user to run arbitrary commands after accessing the account over SSH.

What do you want to prevent? If you want to prevent people from reading or writing files, ACLs allow you to prohibit users from reading world-readable directories; CPU hogging seems to be exactly what you do want to allow, and please remember that network operations can be done inside fixed-output builds.

I think you (or they) can use a fixed-output build to slowly print meaningless log lines (to prevent silence timeout) and open shell access into the build sandbox. The necessary data can be preloaded as a dependency.

I don’t really know much about how hardened the nix-daemon is. I suppose that our default hardening flags are passed on compile time. However, for our remote builders we put give over SSH only access with the prepending the command parameter to each public key in authorized_keys, e.g.:

command="NIX_SSL_CERT_FILE=/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt /nix/var/nix/profiles/default/bin/nix-store --serve --write sh-ed25519 AA... "
2 Likes

Thanks @periklis, that’s what I had in mind. It’s quite similar to git server sandboxing.

Obviously like @7c6f434c highlighted nicely it’s not a complete solution but it’s a good start already. This should prevent accidental abuse.