Problem

In multi-user mode, Nix currently assumes that the daemon is running as root (and the installer sets things up that way).
This can be (and in practice is) a blocker for some corporate environments where installing Nix could be acceptable, but running it as root is out of the question.
More generally, this is a security concern as it means running a fairly large (and not tremendously well audited) codebase as root.

Most of what Nix does however don’t require it: For the most part, everything the Nix daemon needs is to be able to write to the /nix directory.
So it should be possible to run the Nix daemon as its own dedicated user, which would also be the user of /nix.

Solution

Make it possible (and the default) to have the Nix daemon run as a non-root user

Additional context

What is root used for atm? (and how can we avoid it?)

(Possibly I’m missing some uses, please let me know if you think of something that’s not already there)

• Writing to the Nix store. This can trivially be changed by changing the owner of the store (like in single-user mode)

• Using the build users. This is partially redundant with the build sandbox, except that

  1. The build sandbox doesn’t actually change the user, which might mean that different sandboxed builds might still be able to interfere with each other
  2. Fixed-output derivations aren’t sandboxed
  3. The sandbox is costly, so the default configuration (sandbox = relaxed) allows derivations to opt-out of it (by setting __noChroot)

  Point 1. can be fixed by using a subuid mapping for the nix user (like all container systems do).
  Point 2 and 3 can be fixed by having a light sandbox that can be used both by FO derivations and __noChroot derivations.

• The GC needs to follows the roots through the user home directories (for indirect roots).

  I don’t think there’s a solution to that, so I think the root discovery system will have to be factored out into a separate executable (with a much smaller attack surface) with the right capabilities.