Open PaulGrandperrin opened 2 years ago
I think I ran into this when running doas nixos-rebuild switch --flake .
... Flakes require git
, which I have installed via home-manager, but when running under doas, git
cannot be found.
At first I assumed keepEnv
wasn't being applied correctly, however the generated /etc/doas.conf
has it present. Investigating further it looks like PATH
isn't being "kept" by keepEnv, but other variables are:
$ which git
/home/matt/.nix-profile/bin/git
$ doas which git
which: no git in (/bin:/sbin:/usr/bin:/usr/sbin:/run/wrappers/bin:/run/current-system/sw/bin:/run/current-system/sw/sbin:/usr/local/bin:/usr/local/sbin)
$ echo $PATH
/run/wrappers/bin:/home/matt/.nix-profile/bin:/etc/profiles/per-user/matt/bin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin
$ doas bash -c 'echo $PATH'
/bin:/sbin:/usr/bin:/usr/sbin:/run/wrappers/bin:/run/current-system/sw/bin:/run/current-system/sw/sbin:/usr/local/bin:/usr/local/sbin
$ export FOO=bar
$ doas bash -c 'echo $FOO'
bar
Assuming this is because PATH is set by pam as per this issue.
Can the workaround be included in my nix system configuration or does it need to be added to nixpkgs instead?
Since we control what goes in /etc/pam/environment , we can also set them in /etc/doas.conf. It's an eyesore and can cannot handle variable interpolation like PAM, but here's my workaround:
Is there a reason not to upstream this workaround into the doas
module?
Because it's really an eyesore 😬
And anyway, the upstream project seems kinda dead.
I removed it from my conf and installed please
instead.
Oh actually, sudo-rs
seems to be the project to follow!
The initial weird bug
I wanted to set my time locale to ISO-8601, so I did:
but then, using
doas
to getroot
printed some warningsbut
date
in that root shell was using the correct localeI still investigated a bit and found that
doas date
did not use the correct locale !???After spending way too many hours troubleshooting this mystery, I finally found the root cause: https://github.com/Duncaen/OpenDoas/issues/2. It can also lead to many others difficult to understand issues..
Explanations
NixOS relies on some environment variables to be set to work properly. For example,
PATH
must include/run/wrappers/bin
for SUID bins,/run/current-system/sw/bin
for system bins and/etc/profiles/per-user/$USER/bin
for user bins. We'll come back toPATH
later.Another important one is
LOCALE_ARCHIVE
, which is used by Nixpkgs' patchedglibc
to find which locale archive to load. Basically, the patch first tries to lookupLOCALE_ARCHIVE
and if unsuccessful, loads a basic archive with only the "C/POSIX" locale available. (more info can be found here also: https://github.com/NixOS/nixpkgs/issues/85823)To ensure that they are set everywhere, NixOS configures PAM to include them in all new sessions: https://github.com/NixOS/nixpkgs/blob/nixos-21.11/nixos/modules/config/system-environment.nix#L68 https://github.com/NixOS/nixpkgs/blob/nixos-21.11/nixos/modules/security/pam.nix#L573
Unfortunately
doas
ignore those: https://github.com/Duncaen/OpenDoas/issues/2.This makes binaries started with
doas
behave incorrectly on NixOS:locale-archive
will fail to load and fall back to a basic one. However, login shells also source/etc/set-environment
which also load those variables. This doesn't solve the locale issue for the shell because the locale-archive is loaded only at startup time but it makes programs started from the shell behave correctly.LOCALE_ARCHIVE
, the user env inPATH
(/etc/profiles/per-user/$USER/bin
),NIX_PATH
, the XDG vars,INFOPATH
,LD_LIBRARY_PATH
and many others. Right now thePATH
has some nix-specific paths thanks to this patch: https://github.com/NixOS/nixpkgs/blob/nixos-21.11/pkgs/tools/security/doas/0001-add-NixOS-specific-dirs-to-safe-PATH.patchFor example, on my machine,
git
is installed through home-manager and so is in/etc/profiles/per-user/$USER/bin
. Scripts launched withdoas
will not findgit
.They'll also fail to load any locale.
Comparing with sudo
Solutions
Fix doas
The obvious solution is to make
doas
set the vars given by PAM, just likesudo
. I'll speak with the maintainer referring to this issue.Work around
Since we control what goes in
/etc/pam/environment
, we can also set them in/etc/doas.conf
. It's an eyesore and can cannot handle variable interpolation like PAM, but here's my workaround:Inform the users?
In the meantime, I think we should update the docs to warn NixOS users of those shortcomings and workarounds. This is especially important because those bugs are difficult to analyze, and it is very unexpected that
doas
ignores PAM env vars.