NixCon 2022

Running the Nix daemon (nearly) rootless
10-21, 11:30–11:35 (Europe/Paris), Main track (Gym)

Making Nix follow the principle of least privilege by removing as much as possible the need to it to run as root

In multi-user mode, the Nix daemon is expected to run as root.
This is quite annoying from a security point of view as the Nix codebase is (somewhat) large and not properly audited. Because of that it is also an adoption blocker in some places.
I turns out that there's very few places where Nix actually needs to be root, and we can remove or isolate these, as done in

Do you allow your talk to be recorded? – yes What level of experience in Nix is the talk addressed to?


Théophane is a software engineer at Tweag I/O, and lead of the Nix team there.
He's also an active Nix contributor and member of the NixOS foundation board.