NixCon 2022

Running the Nix daemon (nearly) rootless
2022-10-21 , Main track (Gym)

Making Nix follow the principle of least privilege by removing as much as possible the need to it to run as root


In multi-user mode, the Nix daemon is expected to run as root.
This is quite annoying from a security point of view as the Nix codebase is (somewhat) large and not properly audited. Because of that it is also an adoption blocker in some places.
I turns out that there's very few places where Nix actually needs to be root, and we can remove or isolate these, as done in https://github.com/NixOS/nix/pull/5380.


Do you allow your talk to be recorded?: yes What level of experience in Nix is the talk addressed to?:

Mid-level

Théophane is a software engineer at Tweag I/O, and lead of the Nix team there.
He's also an active Nix contributor and member of the NixOS foundation board.