Arch Linux

Please read this before reporting a bug:

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#79747 - [nix] Despite .INSTALL message, all users can access Nix daemon

Attached to Project: Arch Linux
Opened by Vladimir Panteleev (CyberShadow) - Thursday, 21 September 2023, 06:02 GMT
Last edited by George Rawlinson (rawlinsong) - Friday, 22 September 2023, 09:14 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Caleb Maclennan (alerque)
George Rawlinson (rawlinsong)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No



When installing the nix package, the .INSTALL script prints:

> Nix is installed but is not configured.
> To access Nix's daemon socket, users must be a member of the group 'nix-users'.

However, this doesn't appear to be true. Once the nix-daemon service is started, any user can access the nix daemon socket.

Looking at /nix/var/nix/daemon-socket, the socket has mode 644.

Additional info:
* package version(s): 2.17.0-3
* config and/or log files etc.: N/A
* link to upstream bug report, if any: N/A?

Steps to reproduce:
- pacman -S nix
- systemctl start nix-daemon.service
- # (do not add current user to nix-users)
- NIX_PATH=nixpkgs= nix-shell -p hello --run hello

This should fail, but succeeds.
This task depends upon

Closed by  George Rawlinson (rawlinsong)
Friday, 22 September 2023, 09:14 GMT
Reason for closing:  Fixed
Additional comments about closing:  2.17.0-4
Comment by Toolybird (Toolybird) - Thursday, 21 September 2023, 07:10 GMT
In the PKGBUILD `make install' is run *after* the manual "systemd integration" stuff which clobbers our tmpfiles.d snippet with the upstream supplied version.

Edit: raising severity level because this has potential security implications.