From bc3f4f8352b907bcc0e861451e3e2c8327587015 Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <eelco.dolstra@logicblox.com>
Date: Wed, 29 Nov 2006 23:41:21 +0000
Subject: [PATCH] * Set up Nix so that builds are never performed as root, but
 rather   under nix-build-N.

svn path=/nixos/trunk/; revision=7172
---
 boot/boot-stage-2-init.sh    | 33 ++++++++++++++++++++++++++++++++-
 boot/boot-stage-2.nix        |  2 ++
 installer/nixos-installer.sh |  4 +++-
 3 files changed, 37 insertions(+), 2 deletions(-)

diff --git a/boot/boot-stage-2-init.sh b/boot/boot-stage-2-init.sh
index 262412c9eb4..e5ab202ea14 100644
--- a/boot/boot-stage-2-init.sh
+++ b/boot/boot-stage-2-init.sh
@@ -105,9 +105,18 @@ test -e /etc/login.defs || touch /etc/login.defs
 
 
 # Enable a password-less root login.
+source @accounts@
+
 if ! test -e /etc/passwd; then
-    echo "root::0:0:root:/:@shell@" > /etc/passwd
+    if test -n "@readOnlyRoot@"; then
+        rootHome=/
+    else
+        rootHome=/home/root
+        mkdir -p $rootHome
+    fi
+    createUser root '' 0 0 'System administrator' $rootHome/var/empty @shell@
 fi
+
 if ! test -e /etc/group; then
     echo "root:*:0" > /etc/group
 fi
@@ -118,6 +127,28 @@ echo "127.0.0.1 localhost" > /etc/hosts
 echo "hosts: files dns" > /etc/nsswitch.conf
 
 
+# Set up Nix accounts.
+if test -z "@readOnlyRoot@"; then
+
+    for i in $(seq 1 10); do
+        account=nix-build-$i
+        if ! userExists $account; then
+            createUser $account x \
+                $((i + 30000)) $((i + 30000)) \
+                'Nix build user' /var/empty /noshell
+        fi
+        accounts="$accounts $account"
+    done
+
+    mkdir -p /nix/etc/nix
+    cat > /nix/etc/nix/nix.conf <<EOF
+build-allow-root = false
+build-users = $accounts
+EOF
+
+fi
+
+
 # Set up the Upstart jobs.
 export UPSTART_CFG_DIR=/etc/event.d
 
diff --git a/boot/boot-stage-2.nix b/boot/boot-stage-2.nix
index 9e92194ded7..ec28a5005ae 100644
--- a/boot/boot-stage-2.nix
+++ b/boot/boot-stage-2.nix
@@ -43,4 +43,6 @@ genericSubstituter {
   };
 
   wrapperDir = setuidWrapper.wrapperDir;
+
+  accounts = ../helpers/accounts.sh;
 }
diff --git a/installer/nixos-installer.sh b/installer/nixos-installer.sh
index 04c3c80c212..eb524309046 100644
--- a/installer/nixos-installer.sh
+++ b/installer/nixos-installer.sh
@@ -63,7 +63,6 @@ mkdir -m 0755 -p $mountPoint/var
 # Create the necessary Nix directories on the target device, if they
 # don't already exist.
 mkdir -m 0755 -p \
-    $mountPoint/nix/store \
     $mountPoint/nix/var/nix/gcroots \
     $mountPoint/nix/var/nix/temproots \
     $mountPoint/nix/var/nix/manifests \
@@ -72,6 +71,9 @@ mkdir -m 0755 -p \
     $mountPoint/nix/var/nix/db \
     $mountPoint/nix/var/log/nix/drvs
 
+mkdir -m 1777 -p \
+    $mountPoint/nix/store \
+
 
 # Get the store paths to copy from the references graph.
 storePaths=$(@shell@ @pathsFromGraph@ @nixClosure@)