search

NixOS / nix

Nix, the purely functional package manager
https://nixos.org/
GNU Lesser General Public License v2.1
13k stars 1.54k forks source link

[2.20.5 regression] `nix eval` fails with `'/etc/nixos': ... is not owned by current user` #10202

Open trofi opened 9 months ago

trofi commented 9 months ago

Describe the bug

After NixOS upgraded to nix-2.20.5 some evals ran as user started failing as:

$ nix eval --impure --raw /etc/nixos#nixosConfigurations.$(hostname).config.system.build.toplevel.drvPath
error:
       … while fetching the input 'git+file:///etc/nixos'

       error: opening Git repository '/etc/nixos': repository path '/etc/nixos/' is not owned by current user

These used to work. Runing a sudo works as expected (but I think it's a needless constraint):

$ sudo nix eval --impure --raw /etc/nixos#nixosConfigurations.$(hostname).config.system.build.toplevel.drvPath
/nix/store/qr5v3hbc1hh16cgac7s6nbf5ixnp914p-nixos-system-nz-24.05.20240309.de66856.drv

Permissions and IDs:

$ ls -ld /etc/nixos
drwxr-xr-x 1 root root 1014 Mar  6 22:25 /etc/nixos

$ id
uid=1000 ...

nix-env --version output: nix-env (Nix) 2.20.5

Priorities

Add :+1: to issues you find important.

trofi commented 9 months ago

Currently working it around with $ git config --global --add safe.directory /etc/nixos as current user.

thufschmitt commented 9 months ago

Yes, that's very likely a consequence of https://nvd.nist.gov/vuln/detail/CVE-2022-24765 from the Git side.

We could probably specify the path to the git repo explicitly to disable that check when we know it's safe (and once https://github.com/NixOS/nix/pull/6464 is merged 😒 )

arcuru commented 9 months ago

I suspect I hit the same issue after updating. Same nix version (2.20.5) but I am using a flake repo in my home directory to manage my NixOS machine.

sudo nixos-rebuild failed because of the ownership issue, and being on nixos using a nixos-rebuild switch command failed for the user. I needed to change the ownership of my flake repo to root to let me update.

sudo works above because your /etc/nixos is owned by root.

❯ sudo nixos-rebuild switch --flake .#carbon
error:
       … while fetching the input 'git+file:///home/patrick/.dotfiles'

       error: opening Git repository '/home/patrick/.dotfiles': repository path '/home/patrick/.dotfiles/' is not owned by current user
❯ nixos-rebuild switch --flake .#carbon
building the system configuration...
error: creating symlink from '/nix/var/nix/profiles/.0_system' to 'system-745-link': Permission denied
❯ sudo chown root /home/patrick/.dotfiles/ -R
❯ sudo nixos-rebuild switch --flake .#carbon
building the system configuration
<----snipped---->
Aleksanaa commented 8 months ago

I can think of two workarounds for nixos-rebuild:

  1. Use nixos-rebuild switch --use-remote-sudo instead of sudo nixos-rebuild switch.
  2. Bind mount /etc/nixos to another path and set owner to you.

Still waiting for a proper solution.

fricklerhandwerk commented 8 months ago

Triaged in Nix team meeting:

nixos-discourse commented 8 months ago

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/2023-03-27-nix-team-meeting-134/42961/1

GaetanLepage commented 1 month ago

This is now impacting a broader range of users as nix has been updated to 2.24.9 on nixos-unstable.

ModestTG commented 1 month ago

I'm also experiencing this issue. Switching my flake repo to be owned by root was the only solution that worked for me. On nix version 2.24.9 from unstable.

roberth commented 1 month ago

It seems feasible to implement looser rules than what seems to be implemented in libgit2, but we should also consider the possibility that this is a libgit2 bug, as the error in this issue is from libgit2, and the git cli apparently does not complain about this.

A fix in libgit2 may be easier to implement, and patching is not a problem, especially if upstream agrees about the semantics.

Alternatively it seems that we could disable libgit2's check by setting safe.directory (temporarily, in the Nix process), using the wildcard. Slightly safer, for Nix library users would be to append to safe.directory around here, using this slightly cryptic function. However, we should only do any of that if libgit2 implements incomplete or incorrect logic and they don't want to change it.

roberth commented 1 month ago

Any help would be appreciated.

vonjackets commented 1 month ago

Ran into this issue trying to build a flake using a Kubernetes Gitlab Ci CD runner w/o root. Also on the nix:2.24.9 image, running git config --global --add safe.directory "$(pwd)" seems a fine workaround until this is addressed by nix.

ModestTG commented 1 month ago

Is there a way to downgrade just the nix package to the one in nixos-24.05 while this gets resolved? I'm not sure what flake configuration that would be. I'm unable to get the fix suggested by @vonjackets to work on my system. I have to switch my git repo to have root:root permissions in order to nixos-rebuild at all.

cooparo commented 1 month ago

Doesn't work for me neither. Even with the workaround now stopped working, I've tried in my global git config:

[safe]
directory = "/PATH/TO/FLAKE"

or 

[safe]
directory = "*"

Works only settings the ownership of the flake repo (and .git repo) to root

roberth commented 1 month ago

running git config --global --add safe.directory "$(pwd)" seems a fine workaround

IIUC this should be run as root, e.g:

cd /path/to/flake
sudo git config --global --add safe.directory "$PWD"
vonjackets commented 1 month ago

Good catch, the official nix image I'm using runs as root by default, I hadn't caught that

Yahoo Mail: Search, Organize, Conquer

On Fri, Nov 1, 2024 at 10:19, Robert @.***> wrote:

running git config --global --add safe.directory "$(pwd)" seems a fine workaround

IIUC this should be run as root, e.g: cd /path/to/flake sudo git config --global --add safe.directory "$PWD" — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.Message ID: @.***>