/run/user/$UID has 0755 access permissions by default

nix-community / NixOS-WSL

NixOS on WSL(2) [maintainer=@nzbr]

Apache License 2.0

1.76k stars 114 forks source link

/run/user/$UID has 0755 access permissions by default #346

Open e-nikolov opened 9 months ago

e-nikolov commented 9 months ago

Bug description

On regular NixOS and other distributions /run/user/$UID has 0700 access permissions but on NixOS-WSL it has 0755. This causes problems for some programs like 1password's CLI op which produces an error like: XDG_RUNTIME_DIR file permissions too open, refusing to use

This might be a WSL issue since Ubuntu on WSL also has it set to 0755. Also manually changing the permissions via chmod only lasts until reboot. Is there a way to automatically set the permissions in NixOS-WSL?

SuperSandro2000 commented 9 months ago

IIRC this is intended, see https://github.com/NixOS/nixpkgs/pull/270727/commits/03e79e9ecc0d1b851ef53b67f8925646961cab1a

e-nikolov commented 9 months ago

This commit is from a PR that isn't merged yet and it discusses /run/dbus, not /run/user/$UID.

On my purely NixOS system I have these permissions:

❯ stat -c %a /run/user/1000
700
❯ stat -c %a /run/user
755
❯ stat -c %a /run/dbus
755

While on my NixOS-WSL system I have these:

❯ stat -c %a /run/user/1000
755
❯ stat -c %a /run/user
755
❯ stat -c %a /run/dbus
755

aidan-mundy commented 8 months ago

FWIW, this is also the case on the default Ubuntu WSL image, and is also causing issues for me with 1password

e-nikolov commented 8 months ago

Initially I had a service to fix the permissions when 1Password starts up inside WSL:

  systemd.user.services = {
    _1password_gui_autostart = {
      Unit = { Description = "1Password GUI Autostart"; };

      Service = {
        Environment = "DISPLAY=:0";
        ExecStartPre = "${pkgs.coreutils-full}/bin/chmod 700 /run/user/1000";
        ExecStart = "${pkgs._1password-gui}/bin/1password";
        Restart = "always";
      };
      Install.WantedBy = [ "default.target" ];
    };
  };

But eventually, it made more sense to configure WSL to use the Windows version of 1Password so that I don't have to run 2 instances:


{ config, pkgs, lib, ... }: {
  programs.git.extraConfig.gpg.ssh.program = "op-ssh-sign-wsl";
  programs.git.extraConfig.core.sshCommand = "ssh.exe";
  home.shellAliases = {
    ssh = "ssh.exe ";
    op = "op.exe";
  };
}