nix-channel doesn't work as expected with sudo

[LnL7]

On macOS it seems like nix-channel doesn't behave correctly when just using sudo. I'm not sure if this also happens on other platforms, but it works fine on nixos.

$ sudo nix-channel --list
$ sudo -i nix-channel --list
nixpkgs http://nixos.org/channels/nixpkgs-unstable

and even more confusing

$ sudo nix-channel --add http://nixos.org/channels/foo
$ sudo nix-channel --update
unpacking channels...
created 3 symlinks in user environment
$ sudo nix-channel --list
foo http://nixos.org/channels/foo
$ sudo -i nix-channel --list
nixpkgs http://nixos.org/channels/nixpkgs-unstable

$ ls -l ~/.nix-defexpr
lrwxr-xr-x   1 root  staff   44 Sep  1 21:41 channels -> /nix/var/nix/profiles/per-user/root/channels
lrwxr-xr-x   1 root  staff   44 Jul 23 12:26 channels_root -> /nix/var/nix/profiles/per-user/root/channels
$ ls /nix/var/nix/profiles/per-user/root/channels
binary-caches manifest.nix  nixpkgs
$ ls /nix/var/nix/profiles/per-user/lnl/channels
manifest.nix

[copumpkin]

cc @grahamc given that this changed with the multi-user setup

[domenkozar]

cc @jmitchell

[grahamc]

Doing some debugging, so far things are looking okay here:

nixos$ nix-channel --add https://nixos.org/channels/nixos-17.03 fizzbuzz
nixos$ nix-channel --update
downloading Nix expressions from ‘https://d3g5gsiof5omrk.cloudfront.net/nixos/17.03/nixos-17.03.1775.56da88a298/nixexprs.tar.xz’...
downloading ‘https://d3g5gsiof5omrk.cloudfront.net/nixos/17.03/nixos-17.03.1775.56da88a298/nixexprs.tar.xz’... [6975/9252 KiB, 6959.8 KiB/s]
unpacking channels...
nixos$ ls /nix/var/nix/profiles/per-user/grahamc/channels/           
binary-caches  fizzbuzz  manifest.nix

macos$ nix-channel --add https://nixos.org/channels/nixos-17.03 fizzbuzz
macos$ nix-channel --update
downloading Nix expressions from ‘https://d3g5gsiof5omrk.cloudfront.net/nixos/17.03/nixos-17.03.1775.56da88a298/nixexprs.tar.xz’...
downloading ‘https://d3g5gsiof5omrk.cloudfront.net/nixos/17.03/nixos-17.03.1775.56da88a298/nixexprs.tar.xz’... [7295/9252 KiB, 7277.6 KiB/s]
unpacking channels...
macos$ ls /nix/var/nix/profiles/per-user/graham/channels/
binary-caches   fizzbuzz    manifest.nix

I wonder if sudo nix-channel --add http://nixos.org/channels/foo (ie: without the second arg) is causing problems there.

I definitely have the problem:

nixos$ nix-channel --list                                 
fizzbuzz https://nixos.org/channels/nixos-17.03
nixos$ sudo nix-channel --list
nixos https://nixos.org/channels/nixos-17.03
nixos$ sudo -i nix-channel --list
nixos https://nixos.org/channels/nixos-17.03

macos$ nix-channel --list
fizzbuzz https://nixos.org/channels/nixos-17.03
macos$ sudo nix-channel --list
fizzbuzz https://nixos.org/channels/nixos-17.03
macos$ sudo -i nix-channel --list
nixpkgs https://nixos.org/channels/nixpkgs-unstable

[grahamc]

More info:

nixos$ sudo env | grep HOME=               
HOME=/root

plus

macos$ sudo env | grep HOME=
HOME=/Users/graham

plus

https://github.com/NixOS/nix/blob/1.11-maintenance/scripts/nix-channel.in#L25-L26

= nix-channel is looking at user's channels w/ sudo on macos, and root's channels w/ sudo on nixos.

This is because of this macOS default:

macos$ sudo cat /etc/sudoers | grep -i home
Defaults    env_keep += "HOME MAIL"

[nixy]

So where go from here?

It seems like a workaround would be to just edit the sudoers file when a multiuser installation is done. I'm not sure this would be a good idea though since this change has deeper implications than most of the other changes the multiuser install seems to make.

Would modifying the way Nix gets the home directory be better?

I'm interested in seeing this fixed. While this is a minor irritation it poses a pretty big barrier for people trying to use Nix on MacOS who are just starting out.

[edolstra]

Maybe something like: if HOME is set and exists but is owned by a different uid than the current user, then ignore it and use getpwuid instead.

[LnL7]

I would prefer not to depend on getpwuid but changing sudoers sounds like a terrible idea so it's probably the best solution.

[lingnand]

I removed HOME from my sudoer file as a workaround. Took me quite a bit of time hunting around as to why nix-channel --list shows nothing. At the very least with a fresh install on macos some warning would be useful to illustrate how to properly access the current nixos status given the multi user setup. Basically the confusion for me (as someone who just installed nix):

1. macos installer defaulted to multi user, whereas the quick start guide is geared towards single user (and there is no documentation illustrating why multi user is chosen as default or how is it better; there isn't even an obvious option to use single user during the setup)
2. inability to quickly see what the nix is actually using because of this bug

[fghibellini]

Related: https://stackoverflow.com/questions/47857211/what-nix-channel-is-subscribed-to-by-default/48128659

[blast-hardcheese]

I discovered this as well:

blast$ nix-channel --list
blast$ sudo nix-channel --list
Password:

though sudo has a -H flag that properly sets the HOME envvar, intended for this purpose:

blast$ sudo -H nix-channel --list
nixpkgs https://nixos.org/channels/nixpkgs-unstable
blast$ sudo -H nix-channel --update
unpacking channels...
created 2 symlinks in user environment

this was definitely confusing initially, as it seemed as though I could install packages without being subscribed to any channels at all.

[stale[bot]]

I marked this as stale due to inactivity. → More info

[blast-hardcheese]

well, until the questions around whether nix-channels should be removed/repurposed are resolved, I think this should probably not be closed because of "stale"

[stale[bot]]

I marked this as stale due to inactivity. → More info

[ghost]

Not stale.

Also occurs on NixOS with sudo -E (obviously).

[stale[bot]]

I marked this as stale due to inactivity. → More info

[virusdave]

This issue can be closed. I recently added a PR (since landed) which fixes this on macos.