Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[UX] Better info for untrusted users #8248

Open
angerman opened this issue Apr 22, 2023 · 13 comments
Open

[UX] Better info for untrusted users #8248

angerman opened this issue Apr 22, 2023 · 13 comments
Labels
bug

Comments

@angerman
Copy link
Contributor

Since 2.14, we have

nix/src/libstore/daemon.cc

Line 225 in 7474a90

warn("ignoring untrusted substituter '%s', you are not a trusted user.\n"
from @rapenne-s (#7461), which adds "you are not a trusted user." to the warning, which is already a good improvement.

ignoring untrusted substituter 'https://bleh.cachix.org', you are not a trusted user.

From user (most who use nix out of necessity, not because they like it particularly much) reports we know that this warning is

  1. ignored.
  2. not sufficiently helpful
    • What is a trusted user? (where do I find out more?)
    • How do I rectify this? (also, I don't really care about the details, just make it work!)

It might be more helpful to (our) users if there was a message right at the start along the lines of:

You are not a trusted-user as per your /etc/nix/nix.conf.  This means you won't be able to use 
substitutes not listed in your /etc/nix/nix.conf (even if you say you trust them).  The flake you
are about to load has a few settings that require a trusted user.

Please add $(whoami) to your nix.conf
<insert diff of current nix.conf to nix.conf with $(whoami) added>

If you do not want to see this message again, please set NIX_NO_ADVISE, or (some /etc/nix/nix.conf) flag.

Do you want to continue? y/N

Priorities

Add 👍 to issues you find important.
@angerman angerman added the bug label Apr 22, 2023
@angerman
Copy link
Contributor Author

If this is something that would be appreciated, I'd be happy to work on this.

@jakubgs jakubgs mentioned this issue Jun 22, 2023
Merged
@MaksimShakavin
Copy link

Please add $(whoami) to your nix.conf <insert diff of current nix.conf to nix.conf with $(whoami) added>
This part is not really clear

@rapenne-s
Copy link
Member

The message should also tell you to look at nix.conf man page to read about the substituters, where some extra explanation have been added (see the diff in #7461).

I agree the message could be clearer, but in the previous PR it has been said by the maintenance team that the message should be short and defer any explanation to the documentation.

@jkarni
Copy link

jkarni commented Dec 4, 2023

Someone pointed out to me that they have @wheel group in trusted-users. This seems like a sane default that might prevent this issue from happening in most cases?

@rapenne-s
Copy link
Member

rapenne-s commented Dec 5, 2023
edited
Loading

Someone pointed out to me that they have @wheel group in trusted-users. This seems like a sane default that might prevent this issue from happening in most cases?

This is like having sudo with passwordless. I let you think about the possible exploits

@jkarni
Copy link

jkarni commented Dec 5, 2023

This is like having sudo with passwordless. I let you think about the possible exploits

I kind of agree. At the same time, isn't having yourself in the trusted-users the same problem? And having that option at all dangerous?

@rapenne-s
Copy link
Member

isn't having yourself in the trusted-users the same problem?

it is exactly the same issue, that's why it's not a default

And having that option at all dangerous?

options are harmless when used wisely, there are cases when you want the build user to be able to actually build without needing to be root, in a docker environment with nix-daemon service for instance.

Basically, an interactive user where you log in should have the least privileges possible. Having a dedicated user that would be a nix trusted user makes more sense than giving this power to your own user, as long as there is some kind of authentication process to switch from one to the other (sudo with password, su - with password etc...)

@brainrake
Copy link

trusted-users allows passwordless root so should probably not be encouraged: #9649 (comment)
Instead, the warning could show the diff to add the binary caches to /etc/nix/nix.conf.

@ntc2
Copy link

ntc2 commented Jul 17, 2024

Related: #6672

@wenzeslaus
Copy link

Whatever the solution is, this is definitively an UX and documentation issue for me. I'm a new user and I was not able to figure out what I'm supposed to do. My search mostly yields issues or discussions like this one. I just want a resonantly safe developer environment without warnings.

@brainrake
Copy link

brainrake commented Nov 1, 2024
edited
Loading

edit /etc/nix/nix.conf (or use NixOS options) to configure the nix daemon:

# only have root in trusted-users to prevent privilege escalation
trusted-users = root
# add cache urls here
substituters = https://cache.nixos.org <other-cache>
# add cache public keys here
trusted-public-keys = <nixos-cache-public-key> <other-cache-public-key>

replace <placeholder>s with appropriate values

@wenzeslaus
Copy link

Thank you. This was the final kick I needed to get rid of the warnings, although the solution is not 100%.

In /etc/nix/nix.conf, I changed the extra-trusted-substituters and extra-trusted-public-keys into substituters and trusted-public-keys. Then I added the cache. I'm not sure if that made any difference since I have config in home and nix develop wants to create it when I don't have it.

I added trusted-users and added my user into that. So, I'm not following the best practice here. With root only, I get warning: ignoring the client-specified setting 'trusted-public-keys', because it is a restricted setting and you are not a trusted user.

I saw somewhere that the warning is related to config in my home (rather than the global one), but if I delete the config file ~/.local/share/nix/trusted-settings.json, I get the questions about adding the stuff to the config again even when I have the substituters in /etc/nix/nix.conf. So, that's why I ended adding my user to trusted-users.

Back to the UX, if the file or the message would tell me that I needed to restart the daemon, that would have also helped. (As a total nix newbie, my questions are: Is there a daemon? Does it pick the config during start or when I do nix develop?)

It seems to me that nix develop asks me about creating config in home (does not say where the config is explicitly), but then it is not able to use the config later because of the global settings.

@brainrake
Copy link

Right. There is a daemon (unless running in single-user mode). It does need to be restarted to pick up the settings (usually systemctl restart nix-daemon).
nix develop takes the nixSettings flake attribute and applies it on top of the nix config similarly to CLI options, but with the trusted-settings.json logic. Some flake nixConfig (like substituters) needs trusted-users, but that is insecure so substituters should be added to system nix config as above.

If you have a lot of substituters and lookup is slow, another option is to use trusted-substituters (and trusted-public-keys) in the system nix.conf. These are trusted but not used by default, and a flake or cli config can enable their use even if coming from a user not in trusted-users.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@ntc2 @angerman @rapenne-s @brainrake @jkarni @wenzeslaus @MaksimShakavin