Motivation

Add functionality to manage POSIX ACLs (access control lists) on Nix store paths (including .drv files) and derivation build logs.

In particular:

Adds a nix store access command with the following subcommands:
- info
- protect / unprotect
- grant / revoke
Adds a --protect flag to nix build and nix store add-*
Adds __permissions argument to builtins.derivation, and permissions argument to builtins.path, which allow to control the permissions on corresponding store objects.

For now, all of these are hidden behind --experimental-flags acls

Context

https://github.com/NixOS/rfcs/pull/143

Add a C++ interface for POSIX ACLs
Add a Nix data structure to describe ACLs of a store path (AccessStatus), which can be
- protected (if NOT protected, readable and executable by everyone; else readable and executable only by entities)
- entities (list of entities (users and groups) that have access to a path if it is protected)
Implement setting and getting AccessStatus on a local store and remote daemon store
- If the path/derivation does not exist yet, apply the AccessStatus as soon as the path appears
Add CLI subcommands and language primitives to manage AccessStatus-es

Nov 03 '23 09:11 balsoft

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/tweag-nix-dev-update-54/39990/1

Feb 19 '24 10:02 nixos-discourse

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/tweag-nix-dev-update-55/40996/1

Mar 08 '24 08:03 nixos-discourse

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/secrets-in-nix-suck-and-how-to-fix-them/43822/5

Apr 21 '24 19:04 nixos-discourse