angerman
commented
1 year ago If this is something that would be appreciated, I'd be happy to work on this.
Open angerman opened 1 year ago
angerman
commented
1 year ago If this is something that would be appreciated, I'd be happy to work on this.
MaksimShakavin
commented
1 year ago Please add $(whoami) to your nix.conf <insert diff of current nix.conf to nix.conf with $(whoami) added>
This part is not really clear
rapenne-s
commented
1 year ago The message should also tell you to look at nix.conf man page to read about the substituters, where some extra explanation have been added (see the diff in https://github.com/NixOS/nix/pull/7461).
I agree the message could be clearer, but in the previous PR it has been said by the maintenance team that the message should be short and defer any explanation to the documentation.
jkarni
commented
11 months ago Someone pointed out to me that they have @wheel group in trusted-users. This seems like a sane default that might prevent this issue from happening in most cases?
rapenne-s
commented
11 months ago Someone pointed out to me that they have
@wheelgroup intrusted-users. This seems like a sane default that might prevent this issue from happening in most cases?
This is like having sudo with passwordless. I let you think about the possible exploits
jkarni
commented
11 months ago This is like having sudo with passwordless. I let you think about the possible exploits
I kind of agree. At the same time, isn't having yourself in the trusted-users the same problem? And having that option at all dangerous?
rapenne-s
commented
11 months ago isn't having yourself in the trusted-users the same problem?
it is exactly the same issue, that's why it's not a default
And having that option at all dangerous?
options are harmless when used wisely, there are cases when you want the build user to be able to actually build without needing to be root, in a docker environment with nix-daemon service for instance.
Basically, an interactive user where you log in should have the least privileges possible. Having a dedicated user that would be a nix trusted user makes more sense than giving this power to your own user, as long as there is some kind of authentication process to switch from one to the other (sudo with password, su - with password etc...)
brainrake
commented
11 months ago trusted-users allows passwordless root so should probably not be encouraged: https://github.com/NixOS/nix/issues/9649#issuecomment-1868001568
Instead, the warning could show the diff to add the binary caches to /etc/nix/nix.conf.
ntc2
commented
4 months ago 
wenzeslaus
commented
2 weeks ago Whatever the solution is, this is definitively an UX and documentation issue for me. I'm a new user and I was not able to figure out what I'm supposed to do. My search mostly yields issues or discussions like this one. I just want a resonantly safe developer environment without warnings.
brainrake
commented
2 weeks ago edit /etc/nix/nix.conf (or use NixOS options) to configure the nix daemon:
# only have root in trusted-users to prevent privilege escalation
trusted-users = root
# add cache urls here
substituters = https://cache.nixos.org <other-cache>
# add cache public keys here
trusted-public-keys = <nixos-cache-public-key> <other-cache-public-key>replace <placeholder>s with appropriate values
wenzeslaus
commented
2 weeks ago Thank you. This was the final kick I needed to get rid of the warnings, although the solution is not 100%.
In /etc/nix/nix.conf, I changed the extra-trusted-substituters and extra-trusted-public-keys into substituters and trusted-public-keys. Then I added the cache. I'm not sure if that made any difference since I have config in home and nix develop wants to create it when I don't have it.
I added trusted-users and added my user into that. So, I'm not following the best practice here. With root only, I get warning: ignoring the client-specified setting 'trusted-public-keys', because it is a restricted setting and you are not a trusted user.
I saw somewhere that the warning is related to config in my home (rather than the global one), but if I delete the config file ~/.local/share/nix/trusted-settings.json, I get the questions about adding the stuff to the config again even when I have the substituters in /etc/nix/nix.conf. So, that's why I ended adding my user to trusted-users.
Back to the UX, if the file or the message would tell me that I needed to restart the daemon, that would have also helped. (As a total nix newbie, my questions are: Is there a daemon? Does it pick the config during start or when I do nix develop?)
It seems to me that nix develop asks me about creating config in home (does not say where the config is explicitly), but then it is not able to use the config later because of the global settings.
brainrake
commented
2 weeks ago Right. There is a daemon (unless running in single-user mode). It does need to be restarted to pick up the settings (usually systemctl restart nix-daemon).
nix develop takes the nixSettings flake attribute and applies it on top of the nix config similarly to CLI options, but with the trusted-settings.json logic. Some flake nixConfig (like substituters) needs trusted-users, but that is insecure so substituters should be added to system nix config as above.
If you have a lot of substituters and lookup is slow, another option is to use trusted-substituters (and trusted-public-keys) in the system nix.conf. These are trusted but not used by default, and a flake or cli config can enable their use even if coming from a user not in trusted-users.
Since 2.14, we have https://github.com/NixOS/nix/blob/7474a90db69813d051ab1bef35c7d0ab958d9ccd/src/libstore/daemon.cc#L225 from @rapenne-s (#7461), which adds "you are not a trusted user." to the warning, which is already a good improvement.
From user (most who use nix out of necessity, not because they like it particularly much) reports we know that this warning is
It might be more helpful to (our) users if there was a message right at the start along the lines of:
Priorities
Add :+1: to issues you find important.