search

astro / microvm.nix

NixOS MicroVMs
https://astro.github.io/microvm.nix/
MIT License
1.24k stars 93 forks source link

issue with erofs store permissions #241

Closed bolives-hax closed 3 months ago

bolives-hax commented 3 months ago

Not exactly sure if this belongs here or in nixpkgs but essentially I face the following issue:

The files found within the erofs image (/nix/store/*) seem to have uid/gid 1000/100 while that shouldn't be an issue things such as the postfix module seem to be affected by these permissions. As

https://github.com/NixOS/nixpkgs/blob/6c0b7a92c30122196a761b440ac0d46d3d9954f1/nixos/modules/services/mail/postfix.nix#L752

${concatStringsSep "\n" (mapAttrsToList (to: from: ''
  ln -sf ${from} /var/lib/postfix/conf/${to}
  ${pkgs.postfix}/bin/postmap /var/lib/postfix/conf/${to}
'') cfg.mapFiles)}

cause issues. This is as postmap will complain of a permission issue if run against a file with uid/gid 1000 instead of root. So for example running postmap against 

lrwxrwxrwx 1 root root    61 May 21 21:16 denied_recipients -> /nix/store/q2wlxp52yg7vz7h48lbhfk36a8q2g30a-denied_recipients

with 

-r--r--r-- 1 1000 users 57 Jan  1  1970 /nix/store/q2wlxp52yg7vz7h48lbhfk36a8q2g30a-denied_recipients

wouldn't work as

/nix/store/0hrrxh3vymqj1agxmp0skl0hlxh96phf-postfix-3.9.0/bin/postmap /var/lib/postfix/conf/denied_recipients
postmap: fatal: open database /var/lib/postfix/conf/denied_recipients.db: Permission denied

but if we were to instead of symlinking to the nix store for example cp (without -p) like

${concatStringsSep "\n" (mapAttrsToList (to: from: ''
  cp ${from} /var/lib/postfix/conf/${to}
  ${pkgs.postfix}/bin/postmap /var/lib/postfix/conf/${to}
'') cfg.mapFiles)}

^ here is a crude fix I made that works https://github.com/NixOS/nixpkgs/compare/master...bolives-hax:nixpkgs:postfix-postmap-perm-fix#diff-9ee08734122ac06c1c2ccdabbc40d4346c315464b4de0a3622261232e4b946f9R753

this would work.

So my question is what would be the most elegant way to fix such issues? Is this a flaw of nixpkgs like can you expect anything under /nix/store/ to be owned by anything but root:root? Since this is a nixos module which sort of implies nixos it usually implies said permissions set on the store ... but if they were to differ and cause issues like described above would that qualify as a bug?

There is 4 possible solutions i can currently think of:

1) Don't symlink but cp (unfavorable for obvious reasons) 2) Play around with mount namespaces or such things so shift the stores uid/gids in a somewhat lightweight fashion 3) Change the contents of the erofs image 4) overlayfs and hardlinks or sth

Maybe there is more options to go on about this, id personally favor 2 as afaik systemd can sort of do such things these days as with 3 i fear that would break unpriviledged builds.

astro commented 3 months ago

Thank you for the report!

Please give #242 a try. Does that solve the issue for you?