nix-installer icon indicating copy to clipboard operation
nix-installer copied to clipboard
verified publisher icon DeterminateSystems

Consider adding `nix`'s default profile paths to sudo's `secure_path`

Open dnkmmr69420 opened this issue 2 years ago • 2 comments

Take a look at this. The determinate nix installer should add the bin paths (for /nix/var/nix/profiles/default/bin) to sudo

This script here does exactly what I am talking about but this should be intergrated into the determinate nix installer and be written in rust like the rest of the installer.

#!/usr/bin/env bash

sudo echo "Adding sudo path variables for nix"

SUDOPATHVARIABLE5=$(sudo printenv PATH)

sleep 1

sudo tee /etc/sudoers.d/nix-sudo-env <<EOF
Defaults  secure_path = /nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:$SUDOPATHVARIABLE5
EOF

echo "Finished adding sudo variables for nix"

dnkmmr69420 avatar Aug 16 '23 19:08 dnkmmr69420

It would be nice to allow users to skip the -i flag when they use sudo, but I'm not sure the consequences of this procedure are worth the risks associated.

Unfortunately sudo does not allow for the option of configuring settings like secure_path to be appended to, so we could either overwrite some existing setting the user has in their sudo config, or they could overwrite the setting unintentionally. This means we have to essentially have a point-in-time 'snapshot' of the user's existing setting (as you get with sudo printenv PATH), this causes another issue...

The user's intended secure_path setting might change or drift with OS upgrades, or their own changes. This installer has no way to create a hook to ensure that path we can't append to gets updated in the necessary way.

Lastly, secure_path is a rather sensitive setting, if it is pointed at a user writable path, that user can control things like which binary the sudo user might use. (For example, swapping bash for a bash which captures keystrokes). While /nix/var/nix/profiles/default/bin and /nix/var/nix/profiles/default/sbin are typically root controlled, it's possible for root to add new paths to these folders without understanding the possible security consequences.

[ana@Autonoma nix-installer]$ sudo nix profile install --profile /nix/var/nix/profiles/default nixpkgs#ripgrep
[ana@Autonoma nix-installer]$ ls /nix/var/nix/profiles/default/bin
nix  nix-build  nix-channel  nix-collect-garbage  nix-copy-closure  nix-daemon  nix-env  nix-hash  nix-instantiate  nix-prefetch-url  nix-shell  nix-store  rg

I don't think this last issue is a particular problem, but I do believe that it combined with the lack of ability to safely append to the sudo path, it creates sufficient reasoning to avoid this change for now.

Hoverbear avatar Sep 07 '23 16:09 Hoverbear

Suggestion: add this "fix" as an option (like --sudoers-fix) or in the troubleshooting guide as an option if you understand the risks

https://gist.github.com/queeup/1666bc0a5558464817494037d612f094

Instead of appending to /etc/sudoers file, they create a file at /etc/sudoers.d/nix-sudo-env and it indeed work as intended (fedora silverblue,ubuntu) Even with a possible error in the file, sudo keeps working (but give a warning of the file and error)

Noriller avatar Dec 02 '24 22:12 Noriller