macOS 15 has group id 301 occupied. might need changing

[joshryandavis]

A new daemon occupies PrimaryGroupID 301. Thankfully can just reassign using --nix-build-group-id --nix-build-user-id-base flags but will be an issue.

This breaks the installer and uninstaller.

AppleMetaNodeLocation: /Local/Default
GeneratedUID: ABCDEFAB-CDEF-ABCD-EFAB-CDEF0000012D
GroupMembers: FFFFEEEE-DDDD-CCCC-BBBB-AAAA0000012D
GroupMembership: _modelmanagerd
Password: *
PrimaryGroupID: 301
RealName:
 Model Manager
RecordName: _modelmanagerd
RecordType: dsRecTypeStandard:Groups

---

(Edited by @cole-h to add the following)

Cross-linking issues about this same thing:

• nix-darwin -- https://github.com/LnL7/nix-darwin/issues/970
• upstream -- https://github.com/NixOS/nix/issues/10892

[kennethjyang]

This is the error context from the generated issue URL:

Error

Error: 
   0: Install failure
   1: Error executing action
   2: Action `create_users_and_group` errored
   3: Action `create_user` errored
   4: Failed to execute command with status 55 `"/usr/bin/dscl" "." "-create" "/Users/_nixbld1" "UniqueID" "301"`, stdout: 
      stderr: <main> attribute status: eDSRecordAlreadyExists
      <dscl_cmd> DS Error: -14135 (eDSRecordAlreadyExists)

Metadata

key	value
version	0.19.0
os	macos
arch	aarch64

[fbettag]

dscl . -search /Users UniqueID "301"                                                                                                                      ─╯
_modelmanagerd		UniqueID = (
    301
)

The last few in /etc/passwd are these here

_aonsensed:*:300:300:Always On Sense Daemon:/var/db/aonsensed:/usr/bin/false
_modelmanagerd:*:301:301:Model Manager:/var/db/modelmanagerd:/usr/bin/false
_reportsystemmemory:*:302:302:ReportSystemMemory:/var/empty:/usr/bin/false
_swtransparencyd:*:303:303:Software Transparency Services:/var/db/swtransparencyd:/usr/bin/false
_naturallanguaged:*:304:304:Natural Language Services:/var/db/com.apple.naturallanguaged:/usr/bin/false
_oahd:*:441:441:OAH Daemon:/var/empty:/usr/bin/false

[cole-h]

In the meantime, you may be able to get around this by passing --nix-build-user-id-base 305 to your install invocation, i.e.:

$ curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install --nix-build-user-id-base 305 --nix-build-group-id 305

EDIT: Just saw the part about the group ID also colliding; updated the snippet for that.

[dz0ny]

I suggest getting even higher base number as Apple may add more users and groups.

curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install --nix-build-user-id-base 400 --nix-build-group-id 4000

[cole-h]

I seem to recall seeing some issues in the past about setting the Darwin IDs too high (i.e. outside of the 200-400 ID range), so I'm not sure that's a great idea. This comment on the nix-darwin issue about the same problem seems to agree with that thought: https://github.com/LnL7/nix-darwin/issues/970#issuecomment-2165455547

[emilazy]

I have posted my thoughts on what ID ranges would be good choices on the upstream issue: https://github.com/NixOS/nix/issues/10892#issuecomment-2169192175. Since this has to be coordinated throughout the entire macOS Nix ecosystem I hope we can discuss there and settle on something collectively soon.

[ahcm]

The new suggested range seems to be 450-499. See: https://github.com/NixOS/nix/issues/10892#issuecomment-2212094287

[cole-h]

The new suggested range seems to be 450-499. See: NixOS/nix#10892 (comment)

Thanks for that! We just merged https://github.com/DeterminateSystems/nix-installer/pull/1038, which should detect macOS 15 and move the UIDs up to 450+ by default. Hoping to put a release out within the next couple of days that includes this fix, but for now you should be able to get it with this:

$ curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix/tag/v0.20.1 | sh -s -- install

---

I'm going to keep this issue open until the upstream installer fixes it on their end as well, in case they're able to come up with a better solution.

(EDIT: Updated URL to v0.20.1, which is the first release that includes the macOS 15 fix)

[ratbag98]

@cole-h - using either the main 0.20.1 release (which in theory has the updated code) or your commit still yields "nix_build_user_id_base": 300 in the plan:

% uname -a
Darwin intel.local 24.0.0 Darwin Kernel Version 24.0.0: Mon Jul  1 21:56:48 PDT 2024; root:xnu-11215.0.132.501.1~1/RELEASE_X86_64 x86_64

% ./nix-installer-x86_64-darwin --version                
nix-installer 0.20.1

% ./nix-installer-x86_64-darwin plan | grep build_user_id
`nix-installer` needs to run as `root`, attempting to escalate now via `sudo`...
        "nix_build_user_id_base": 300,
      "nix_build_user_id_base": 300,

Slap me with the clue-stick as required.

[cole-h]

The updated UIDs are only used if you're installing on macOS 15. It does not change it for any lower versions at this time.

[ratbag98]

The updated UIDs are only used if you're installing on macOS 15. It does not change it for any lower versions at this time.

Thanks for the speedy reply @cole-h (and by adding this shout-out I'm not trying to push you to reply as quickly to this update! This is definitely a non-urgent problem for me)

I've updated my screed with uname output - I'm on 15.0 (build 24A5289g).

[dz0ny]

The updated UIDs are only used if you're installing on macOS 15. It does not change it for any lower versions at this time.

The problem is if when you upgrade to macOS 15 at that point you can no longer install new packages, or upgrade them as _nixbld* users no longer exist.

The error you get is :

error: the user '_nixbld1' in the group 'nixbld' does not exist

[emilazy]

@ratbag98 You could help out @abathur in https://github.com/NixOS/nix/pull/11075; there’s a list of stuff he’d like to know from someone who updated to Sequoia and had their Nix break.

[ratbag98]

@ratbag98 You could help out @abathur in NixOS/nix#11075; there’s a list of stuff he’d like to know from someone who updated to Sequoia and had their Nix break.

I'll take a look, but I previously took the nuclear option and wiped my nix installation completely (using the manual instructions, since the installer obviously wasn't working). The machine I've put the beta on is just for testing etc., so if this continues to be an issue, I'll reinstall Sonoma, reinstall nix, then upgrade to Sequioia again and send @abthur the information they require.

[cole-h]

The updated UIDs are only used if you're installing on macOS 15. It does not change it for any lower versions at this time.

The problem is if when you upgrade to macOS 15 at that point you can no longer install new packages, or upgrade them as _nixbld* users no longer exist.

The error you get is :

error: the user '_nixbld1' in the group 'nixbld' does not exist

@dz0ny Correct. https://github.com/DeterminateSystems/nix-installer/pull/1038 only aimed to solve the "easy" problem: installing Nix while currently on macOS 15 beta. Once upstream has a good solution for migration (for users on macOS 14 wanting to update to macOS 15), we will likely adapt a similar approach.

The updated UIDs are only used if you're installing on macOS 15. It does not change it for any lower versions at this time.

Thanks for the speedy reply @cole-h (and by adding this shout-out I'm not trying to push you to reply as quickly to this update! This is definitely a non-urgent problem for me)

I've updated my screed with uname output - I'm on 15.0 (build 24A5289g).

@ratbag98 Interesting. I had someone test in a macOS 15 VM and they got the expected 450 UIDs in the plan output. Just as a sanity check, could you re-fetch the installer from https://install.determinate.systems/nix/tag/v0.20.1 (direct link to x86_64 darwin: https://install.determinate.systems/nix/tag/v0.20.1/nix-installer-x86_64-darwin) and try again, also with -vvv? If it still doesn't show 450 as the UID, please paste the contents of /System/Library/CoreServices/SystemVersion.plist.

[ratbag98]

@cole-h Still get 300 so, here's the SystemVersion:

% cat /System/Library/CoreServices/SystemVersion.plist 
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>BuildID</key>
	<string>3AF1D99E-3D69-11EF-B100-6565DCA24FCD</string>
	<key>ProductBuildVersion</key>
	<string>24A5289g</string>
	<key>ProductCopyright</key>
	<string>1983-2024 Apple Inc.</string>
	<key>ProductName</key>
	<string>macOS</string>
	<key>ProductUserVisibleVersion</key>
	<string>15.0</string>
	<key>ProductVersion</key>
	<string>15.0</string>
	<key>iOSSupportVersion</key>
	<string>18.0</string>
</dict>
</plist>

I've zipped and attached the results of running the installer from your provided link (tag/v0.20.1)

% sh installer.sh plan -vvv  > with_verbose.txt 2>&1

with_verbose.zip

[ratbag98]

If you give me a few hours and enough coffee I can probably install Rust on this machine and compile up a more instrumented implementation of the is_macos_15_or_later function to see if it's correctly parsing the plist (or even seeing it in the first place). It definitely looks correct.

It would help if you had some non nix-based instructions for successfully building it - my chicken and egg have a fixed ordering that's not compatible with the existing instructions and my other nix-running machines are arm based.

Let me know, or more likely let me know how I've messed it up and wasted your time.

[dmelliot]

I'm getting this issue on Sonoma 14.4. I have a _defendpoint 301 user.

Is there a way to explicitly set the start of the range when using the Determinate Installer (setting NIX_FIRST_BUILD_UID="350" didn't seem to work)

---

nvm, solved with adding the params mentioned above (but still worth flagging this issue happened on a non v15 OS)

--nix-build-user-id-base 450 --nix-build-group-id 450