The Developer Experience Shell - This repo contains a nix develop shell for haskell. Its primary purpose is to help get a development shell for haskell quickly and across multiple operating systems (and architectures).
Apache License 2.0
39
stars
9
forks
source link
`trusted-users` allows running commands as root without password (in `README.md`) #116
Adding a user to trusted-users essentially gives them passwordless root access when used in combination with post-build-hook (which users can add at will). This is especially problematic if accept-flake-config = true; is added to nix.conf, because it will allow any flake build unauthenticated root access.
I believe the only reason trusted-users is being used is to set up binary caches -- if this is the case, we should add instructions on setting up binary caches in a different way.
N.B.: cachix currently recommends adding your user as a trusted-user to set up the binary cache. A similar issue has been raised on that repo here. This means that there will most likely be a new "best practice" recommendation from cachix, which this repo should ostensibly follow.
Adding a user to
trusted-usersessentially gives them passwordless root access when used in combination withpost-build-hook(which users can add at will). This is especially problematic ifaccept-flake-config = true;is added tonix.conf, because it will allow any flake build unauthenticated root access.I believe the only reason
trusted-usersis being used is to set up binary caches -- if this is the case, we should add instructions on setting up binary caches in a different way.