Describe the bug

With the --accept-flake-config option or accept-flake-config = true in nix.conf, any flake build (nix build, nix develop, nix run, etc.) gets root access.

Steps To Reproduce

$ git clone https://github.com/9999years/accept-flake-config-demo.git
$ cd accept-flake-config-demo
$ nix build --accept-flake-config --print-build-logs
my-cool-and-normal-derivation (post)> root

Demo here: https://github.com/9999years/accept-flake-config-demo/

Expected behavior

I expected accept-flake-config might do something like use untrusted caches, but "root access" is pretty extreme, and the manual doesn't say "enabling this setting is equivalent to giving root access to any flake you interact with" when it describes accept-flake-config.

nix-env --version output

nix-env (Nix) 2.18.1

Additional context

I don't think this is a bug per-se, in that the behavior is intended, but I don't think this should be allowed in the general case, and even if it is the manual should make it a lot clearer how dangerous this setting is.

It might be nice to have accept-flake-config take a list of settings instead, so that (e.g.) accept-flake-config = allow-import-from-derivation substituters would allow flakes to set the allow-import-from-derivation or substituters options, but not builders or post-build-hook.

Priorities

Add 👍 to issues you find important.