Restricted users

Help
1

I want to create a user account on my computer that is very restricted.

On Arch Linux I just didn’t make that user root, also I made sure nix wasn’t in that users PATH, additionally I didn’t put that user into allowed-users.

I was totally fine that I had to install software for that user manually and globally using pacman.

Now as I have switched to nixOS, I still have that user not in allowed-users, but I’d be happy if that user where able to manage whitelisted software on their own.

I’d be fine with nix-env only as a starting point (they will probably only install an office, a browser and some games) though if I could perhaps convince them to use home-manager later on, I’d be happy if that works as well.

Plus points if it is possible to deny logins without my (or my wifes) explicit consens when not in the main usage time.

More pluspoints if I could tell NetworkManager that this user should use a different proxy and DNS than all the other accounts on the computer, without touching any existing user sessions in the background…

Any hints on making this possible and there fore a user accound “child safe”?

2

Make sure not to harden it too much so they can be happy and think they have bested you :slight_smile:

On the users.users.<name?> there is the .packages attribute that might come handy to give them a list of pre-installed packages. Home-manager has per-user sesssionVariables which I don’t think is supported by NixOS at the moment; this could be useful to set a HTTP_PROXY environment variable. If you want to change DNS then it would require sandboxing though.

For nixpkgs, it might be possible to fake nixpkgs with something like this:

{ ... }@attrs:
let
  realPkgs = import /path/to/real/nixpkgs attrs;
in
{
  inherit (realPkgs)
    a
    b
    c;
}

Save that in a default.nix and then set their NIX_PATH=nixpkgs=/path/to/fakepkgs.

1 Like