10-21, 11:30–11:35 (Europe/Paris), Main track (Gym)
Making Nix follow the principle of least privilege by removing as much as possible the need to it to run as root
In multi-user mode, the Nix daemon is expected to run as root.
This is quite annoying from a security point of view as the Nix codebase is (somewhat) large and not properly audited. Because of that it is also an adoption blocker in some places.
I turns out that there's very few places where Nix actually needs to be root, and we can remove or isolate these, as done in https://github.com/NixOS/nix/pull/5380.
Mid-levelDo you allow your talk to be recorded? – yes
Théophane is a software engineer at Tweag I/O, and lead of the Nix team there.
He's also an active Nix contributor and member of the NixOS foundation board.