git warning with sudo nixos-rebuild build as root

stephen-huan commented 2 months ago

Describe the bug

Not sure when exactly, but I think after the switch from git to libgit2 in ee36a44bf272c8cca62a2ce96a017a8150c4d35b was introduced to the default nix package on nixos-unstable, running sudo sudo nixos-rebuild switch (note the two sudo's) gives

building the system configuration...
fatal: detected dubious ownership in repository at '/keep/home/ikue/.config/home-manager/.git'
To add an exception for this directory, call:

    git config --global --add safe.directory /keep/home/ikue/.config/home-manager/.git
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
warning: could not read HEAD ref from repo at '/keep/home/ikue/.config/home-manager', using 'master'

Note that the system is still successfully built from the master branch of my personal configuration to result.

Running sudo nixos-rebuild build (only one sudo) gives

building the system configuration...

as expected. Equivalently, the warnings occur if one is root (sudo su) and runs sudo nixos-rebuild build and does not occur if nixos-rebuild build is ran as root. I'm not sure why there is a difference between sudo sudo and sudo.

Steps To Reproduce

The quirks in my setup that could be contributing are

My NixOS configuration is based on flakes. This is why a git repo is read from at all.
I use impermanence, which is why my configuration is in /keep. This means my configuration is technically on a different filesystem than / (which is a tmpfs). That is, df -h shows

Filesystem             Size  Used Avail Use% Mounted on
devtmpfs               1.6G     0  1.6G   0% /dev
tmpfs                   16G   35M   16G   1% /dev/shm
tmpfs                  7.7G  6.2M  7.7G   1% /run
tmpfs                   16G  960K   16G   1% /run/wrappers
tmpfs                  2.0G  5.2M  2.0G   1% /
/dev/VolumeGroup/root  883G  283G  556G  34% /keep
efivarfs               128K   21K  103K  18% /sys/firmware/efi/efivars
tmpfs                  3.1G   52K  3.1G   1% /run/user/1000
/dev/nvme0n1p1        1022M   47M  976M   5% /boot

The exact sequence of resolved symlinks is something like

/etc/nixos/flake.nix -> /etc/static/nixos/flake.nix
/etc/static/nixos/flake.nix -> /home/ikue/.config/home-manager/flake.nix
/home/ikue/.config/home-manager/ -> /nix/store/8hsazz933czilwdv5094fqb6xznlmqmg-home-manager-files/.config/home-manager
/nix/store/8hsazz933czilwdv5094fqb6xznlmqmg-home-manager-files/.config/home-manager -> /nix/store/aya860p5kg2zzfrsiqnby2sz1pyysbm5-keep-home-ikue-config-home-manager
/nix/store/aya860p5kg2zzfrsiqnby2sz1pyysbm5-keep-home-ikue-config-home-manager -> /keep/home/ikue/.config/home-manager

The permissions are normal as far as I can tell. That is, stat ~/.config/home-manager/.git shows

  File: /home/ikue/.config/home-manager/.git
  Size: 4096        Blocks: 8          IO Block: 4096   directory
Device: 254,2   Inode: 33031164    Links: 8
Access: (0755/drwxr-xr-x)  Uid: ( 1000/    ikue)   Gid: (  100/   users)

Expected behavior

No warnings.

nix-env --version output

nix-env (Nix) 2.18.7

Additional context

Originally reported in https://github.com/NixOS/nixpkgs/issues/325154 because I mistook it for an issue with enableNg.

Priorities

Add :+1: to issues you find important.

tv42 commented 1 month ago

https://discourse.nixos.org/t/nixos-rebuild-switch-fails-under-flakes-and-doas-with-git-warning-about-dubious-ownership/46069

tv42 commented 1 month ago

https://github.com/NixOS/nix/issues/6443

https://github.com/NixOS/nixpkgs/issues/169193

NixOS / nix

git warning with sudo nixos-rebuild build as root #11622