NixOS:master ← tweag:acls
opened 09:55AM - 03 Nov 23 UTC
# Motivation
Add functionality to manage POSIX ACLs (access control lists) on …Nix store paths (including `.drv` files) and derivation build logs.
In particular:
+ Adds a `nix store access` command with the following subcommands:
- `info`
- `protect` / `unprotect`
- `grant` / `revoke`
+ Adds a `--protect` flag to `nix build` and `nix store add-*`
+ Adds `__permissions` argument to `builtins.derivation`, and `permissions` argument to `builtins.path`, which allow to control the permissions on corresponding store objects.
For now, all of these are hidden behind `--experimental-flags acls`
# Context
https://github.com/NixOS/rfcs/pull/143
## Implementation strategy
- Add a C++ interface for POSIX ACLs
- Add a Nix data structure to describe ACLs of a store path (`AccessStatus`), which can be
+ `protected` (if NOT protected, readable and executable by everyone; else readable and executable only by entities)
+ `entities` (list of entities (users and groups) that have access to a path if it is protected)
- Implement setting and getting `AccessStatus` on a local store and remote daemon store
+ If the path/derivation does not exist yet, apply the AccessStatus as soon as the path appears
- Add CLI subcommands and language primitives to manage `AccessStatus`-es
# Priorities
Add :+1: to [pull requests you find important](https://github.com/NixOS/nix/pulls?q=is%3Aopen+sort%3Areactions-%2B1-desc).