nh icon indicating copy to clipboard operation
nh copied to clipboard

Published 20 hours ago verified publisher icon viperML

Permission denied when trying to update flake.lock

Open Yucklys opened this issue 1 year ago • 14 comments

I put my flake.nix under /etc/nixos, as this is where the sudo nixos-rebuild switch default to. However, when I try to update the flake inputs by nh os switch --update, it successfully pulls the updates, but failed to update the flake.lock file due to permission denied. I have to manually update the flake inputs before I run this command. I think nh should ask for sudo permission to update the lock, as /etc/nixos/flake.nix is a common place that people will store their flake files. image

Yucklys avatar Apr 02 '24 15:04 Yucklys

nh doesn't run nix as root, only the activation scripts

viperML avatar Apr 02 '24 16:04 viperML

I just want to know if this is the intended behavior, as it requires another command to upgrade. I write a wrapper for the commands and now it work perfectly.

Yucklys avatar Apr 09 '24 12:04 Yucklys

It's weird behaviour nonetheless

viperML avatar Apr 09 '24 13:04 viperML

Screenshot_20240419_125001 Same issue.

painsucker6k avatar Apr 19 '24 07:04 painsucker6k

nh doesn't run nix as root, only the activation scripts

I'm guessing that's the issue, as flakes are updated by the nix command? I'm not that experienced in nix, so excuse me if I'm wrong.

painsucker6k avatar Apr 19 '24 07:04 painsucker6k

I know the issue but not the cleanest way to handle it. And my NixOS flake is not owned by root, so I don't need to fix this immediately

viperML avatar Apr 19 '24 07:04 viperML

So the temporary fix is changing the ownership of flake.nix and flake.lock?

painsucker6k avatar Apr 19 '24 07:04 painsucker6k

I'd say not using nh's --update is the correct way

viperML avatar Apr 19 '24 10:04 viperML

I am also struggling with this, nh os switch fails whenever I update my flake inputs, shouldn't nh ask for sudo like it does at other times it is required?

different-name avatar Jun 12 '24 04:06 different-name

No, because I want to keep the evaluation apart from root

viperML avatar Jun 12 '24 10:06 viperML

Do you suggest permanently changing ownership then?

different-name avatar Jun 12 '24 17:06 different-name

Running nix flake update as the same user that owns the flake

viperML avatar Jun 14 '24 08:06 viperML

I have a similar issue: using agenix the quick and dirty way and putting a builtins.readFile config.age.secrets.foo.path in the config, I get a permission error: error: opening file '/run/agenix/foo': Permission denied

And sudo -E nh os switch doesn't work: Don't run nh os as root. I will call sudo internally as needed. Whats the reason for this sudo check?

gepbird avatar Jul 01 '24 09:07 gepbird

Well readFile secret is certainly a usecase I want to block, so nh was working as intended.

Edit: + if anything, nix would not let you read files outside the flake because of the evaluation-time sandbox.

viperML avatar Jul 01 '24 09:07 viperML

Maybe try this? Worked for me.

 sudo chown <user_name> ../flake.lock

darshmashru avatar Oct 17 '24 16:10 darshmashru

Maybe try this? Worked for me.

 sudo chown <user_name> ../flake.lock

~Change ownership did let nh to access flake, but it didn't use cachix stores correctly. I suppose it is because it is using the cachix setting in the user directory.~

Edit: Thanks for your help! Find out it was a mistake with my cachix setup. After fixing the cache, I can update flake directly with nh now. Wonder why I never thought about this for months. The initial issue for me is solved, but I notice there is other person having issue with file permission too. So I will keep this issue open for now. Feel free to close it as you need.

Yucklys avatar Oct 17 '24 16:10 Yucklys