Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#79747 - [nix] Despite .INSTALL message, all users can access Nix daemon
Attached to Project:
Arch Linux
Opened by Vladimir Panteleev (CyberShadow) - Thursday, 21 September 2023, 06:02 GMT
Last edited by George Rawlinson (rawlinsong) - Friday, 22 September 2023, 09:14 GMT
Opened by Vladimir Panteleev (CyberShadow) - Thursday, 21 September 2023, 06:02 GMT
Last edited by George Rawlinson (rawlinsong) - Friday, 22 September 2023, 09:14 GMT
|
DetailsDescription:
When installing the nix package, the .INSTALL script prints: > Nix is installed but is not configured. > To access Nix's daemon socket, users must be a member of the group 'nix-users'. However, this doesn't appear to be true. Once the nix-daemon service is started, any user can access the nix daemon socket. Looking at /nix/var/nix/daemon-socket, the socket has mode 644. Additional info: * package version(s): 2.17.0-3 * config and/or log files etc.: N/A * link to upstream bug report, if any: N/A? Steps to reproduce: - pacman -S nix - systemctl start nix-daemon.service - # (do not add current user to nix-users) - NIX_PATH=nixpkgs=https://github.com/NixOS/nixpkgs/archive/bff917a3ed37b1f9e705b5c07210acd295691770.tar.gz nix-shell -p hello --run hello This should fail, but succeeds. |
This task depends upon
Closed by George Rawlinson (rawlinsong)
Friday, 22 September 2023, 09:14 GMT
Reason for closing: Fixed
Additional comments about closing: 2.17.0-4
Friday, 22 September 2023, 09:14 GMT
Reason for closing: Fixed
Additional comments about closing: 2.17.0-4
Edit: raising severity level because this has potential security implications.