Is your feature request related to a problem? Please describe.

We are getting closer to #5208, a nix daemon without root, but an issue that is brought up is that this currently doesn't provide much value on NixOS: Since the system itself is running via symlinks to the store, the nix daemon could in principle modify those paths and take over the system giving itself root's powers.

Describe the solution you'd like

A simple and ham-fisted solution is that store objects in the NixOS closure should continue to be owned by root, not the Nix daemon. The daemon can simply not manage those objects while they are owned by root, and will fail if it tries to do so.

Nix itself can't and shouldn't know about NixOS, so from it's perspective it would look like this:

• all paths in the Nix Store must be at least as secure as the nix daemon user/group/whatever owning them.
• some paths, for reasons unknown to the Nix daemon, may be more secure. So it would need to understand that having the owner be some random unknown user is bad and a security hole, vs having it root (I guess view some UID/GID or whitelist? Or just hard-code UID 0 as a special case?) is not bad because even though the practical effect that the daemon cannot manage those files is the same, it trusts those other more powerful users to take care of those files.

Then we just need Nix to fail gracefully when trying to do things with root-owned paths.

The nixos-rebuild script or similar will have to manage the chowning of paths to and from root. (they are disowned from root and given back to the nix daemon when the nixos generation is removed and thus those paths become free to be garbage collected).

Describe alternatives you've considered

Not sure, I welcome other ideas.

Additional context

See #5208 for more details of what the rootless nix daemon is planned to look like.

Priorities

Add 👍 to issues you find important.