[2.20.5 regression] `nix eval` fails with `'/etc/nixos': ... is not owned by current user`

NixOS / nix

Nix, the purely functional package manager

https://nixos.org/

GNU Lesser General Public License v2.1

12.07k stars 1.47k forks source link

[2.20.5 regression] `nix eval` fails with `'/etc/nixos': ... is not owned by current user` #10202

Open trofi opened 6 months ago

trofi commented 6 months ago

Describe the bug

After NixOS upgraded to nix-2.20.5 some evals ran as user started failing as:

$ nix eval --impure --raw /etc/nixos#nixosConfigurations.$(hostname).config.system.build.toplevel.drvPath
error:
       … while fetching the input 'git+file:///etc/nixos'

       error: opening Git repository '/etc/nixos': repository path '/etc/nixos/' is not owned by current user

These used to work. Runing a sudo works as expected (but I think it's a needless constraint):

$ sudo nix eval --impure --raw /etc/nixos#nixosConfigurations.$(hostname).config.system.build.toplevel.drvPath
/nix/store/qr5v3hbc1hh16cgac7s6nbf5ixnp914p-nixos-system-nz-24.05.20240309.de66856.drv

Permissions and IDs:

$ ls -ld /etc/nixos
drwxr-xr-x 1 root root 1014 Mar  6 22:25 /etc/nixos

$ id
uid=1000 ...

nix-env --version output: nix-env (Nix) 2.20.5

Priorities

Add :+1: to issues you find important.

trofi commented 6 months ago

Currently working it around with $ git config --global --add safe.directory /etc/nixos as current user.

thufschmitt commented 6 months ago

Yes, that's very likely a consequence of https://nvd.nist.gov/vuln/detail/CVE-2022-24765 from the Git side.

We could probably specify the path to the git repo explicitly to disable that check when we know it's safe (and once https://github.com/NixOS/nix/pull/6464 is merged 😒 )

arcuru commented 5 months ago

I suspect I hit the same issue after updating. Same nix version (2.20.5) but I am using a flake repo in my home directory to manage my NixOS machine.

sudo nixos-rebuild failed because of the ownership issue, and being on nixos using a nixos-rebuild switch command failed for the user. I needed to change the ownership of my flake repo to root to let me update.

sudo works above because your /etc/nixos is owned by root.

❯ sudo nixos-rebuild switch --flake .#carbon
error:
       … while fetching the input 'git+file:///home/patrick/.dotfiles'

       error: opening Git repository '/home/patrick/.dotfiles': repository path '/home/patrick/.dotfiles/' is not owned by current user
❯ nixos-rebuild switch --flake .#carbon
building the system configuration...
error: creating symlink from '/nix/var/nix/profiles/.0_system' to 'system-745-link': Permission denied
❯ sudo chown root /home/patrick/.dotfiles/ -R
❯ sudo nixos-rebuild switch --flake .#carbon
building the system configuration
<----snipped---->

Aleksanaa commented 5 months ago

I can think of two workarounds for nixos-rebuild:

Use nixos-rebuild switch --use-remote-sudo instead of sudo nixos-rebuild switch.
Bind mount /etc/nixos to another path and set owner to you.

Still waiting for a proper solution.

fricklerhandwerk commented 5 months ago

Triaged in Nix team meeting:

@edolstra @Ericson2314 have doubt we're vulnerable to the CVE in question, since we specify the path to the Git repo, so it shouldn't search up the tree. We may just want to disable the behavior by default.
@fricklerhandwerk doubts this is anything but a purely flake issue (i.e. experimental does not mean stable). And doing fetchGit on a local directory would likely be holding it wrong. If you want to filter for files, use the fileset library, it's just as convenient and scales better.
- @roberth: people use it that way, period
If we want to disable it, have to check if it's even possible in libgit2. @trofi would you like to help out resolving the issue?

nixos-discourse commented 5 months ago

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/2023-03-27-nix-team-meeting-134/42961/1