search

NixOS / nixpkgs

Nix Packages collection & NixOS
MIT License
17.84k stars 13.92k forks source link

sudoers.so permission problem #62594

Open blitz opened 5 years ago

blitz commented 5 years ago

Issue description

I'm deploying a postgresql server using NixOps and the postgres post-start script times out. I'm deploying from a Fedora system running a single-user installation of Nix. The underlying issue is this:

# /nix/store/6jdr28mzyhdl3ca1l4xlvfhp19q1a1y4-sudo-1.8.27/bin/sudo -u postgres psql --port=5432 -d postg
res -c
sudo: error in /etc/sudo.conf, line 0 while loading plugin "sudoers_policy"
sudo: /nix/store/6jdr28mzyhdl3ca1l4xlvfhp19q1a1y4-sudo-1.8.27/libexec/sudo/sudoers.so must be owned by uid 0
sudo: fatal error, unable to load plugins

And indeed sudoers.so is not owned by root:

# ls -lh /nix/store/6jdr28mzyhdl3ca1l4xlvfhp19q1a1y4-sudo-1.8.27/libexec/sudo/sudoers.so
-r--r--r-- 1 1000 users 386K Jan  1  1970 /nix/store/6jdr28mzyhdl3ca1l4xlvfhp19q1a1y4-sudo-1.8.27/libexec/sudo/sudoers.
so

The issue seems to be that the permissions from my Fedora system bleed through. The uid/gid of sudoers.so is the same as on my Fedora system (1000/1000). I assume this is a problem in the Nix expression for "sudo", but I'm not sure.

Steps to reproduce

  1. Install Nix as a single-user installation (the default) on any non-Nix Linux distro.
  2. Use NixOps to deploy postgres to a Nix system
  3. See postgres init script time out.

Technical details

# On the system where I run NixOps
% nix-shell -p nix-info --run "nix-info -m"
 - system: `"x86_64-linux"`
 - host os: `Linux 5.0.17-200.fc29.x86_64, Fedora, 29 (Workstation Edition)`
 - multi-user?: `no`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.2.2`
 - channels(julian): `"nixpkgs-19.09pre181045.61f0936d1cd"`
 - nixpkgs: `/home/julian/.nix-defexpr/channels/nixpkgs`

cc: @tfc

teto commented 5 years ago

this is a recurrent issue in nixops, see https://github.com/NixOS/nixops/issues/931

piegamesde commented 2 years ago

I'm running into this issue with a standard NixOS VM (nix-build -A vm). Is there any open issue that tracks this?

blitz commented 2 years ago

I'm running into this issue with a standard NixOS VM (nix-build -A vm). Is there any open issue that tracks this?

Your best bet is https://github.com/NixOS/nixops/issues/931

piegamesde commented 2 years ago

How would this be related to NixOps if I'm not using it?

blitz commented 2 years ago

How would this be related to NixOps if I'm not using it?

cough Good point. Are you using a single user install?

litchipi commented 2 years ago

Hello there, After running into the exact same problem, I created a minimal example where it happens, for experimentation purposes. Here it is: github: litchipi/nixos_sudopb I've tried a bunch of things, but nothing worked so far. I'm really surprised there are a lot of people having this issue. Hope it helps, feel free to clone and experiment and discuss about it on my repo or here, I'll try to resolve it by my side as well

blitz commented 2 years ago

@litchipi The flake.nix had some syntax errors, but I got it working. It does not reproduce the issue for me. I really think this is only an issue on single-user installs of Nix. Can you try whether you see the same issue with a multi-user install of nix?

litchipi commented 2 years ago

@blitz Tried out with multi-user install (so with nix version 2.6.1) and everything seams to work now. However I don't know what to do with that information. Should a new issue be opened ? Or this one re-opened ? I feel like this problem should be addressed for single user installs

blitz commented 2 years ago

@litchipi Good questions. See also nixos/nix#2602. Let's re-open this issue.

nixos-discourse commented 2 years ago

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/nixos-generators-from-single-user-nix-install-has-ownership-issues/18216/1