nix icon indicating copy to clipboard operation
nix copied to clipboard
verified publisher icon NixOS

[2.20.5 regression] `nix eval` fails with `'/etc/nixos': ... is not owned by current user`

Open trofi opened this issue 1 year ago • 10 comments

Describe the bug

After NixOS upgraded to nix-2.20.5 some evals ran as user started failing as:

$ nix eval --impure --raw /etc/nixos#nixosConfigurations.$(hostname).config.system.build.toplevel.drvPath
error:
       … while fetching the input 'git+file:///etc/nixos'

       error: opening Git repository '/etc/nixos': repository path '/etc/nixos/' is not owned by current user

These used to work. Runing a sudo works as expected (but I think it's a needless constraint):

$ sudo nix eval --impure --raw /etc/nixos#nixosConfigurations.$(hostname).config.system.build.toplevel.drvPath
/nix/store/qr5v3hbc1hh16cgac7s6nbf5ixnp914p-nixos-system-nz-24.05.20240309.de66856.drv

Permissions and IDs:

$ ls -ld /etc/nixos
drwxr-xr-x 1 root root 1014 Mar  6 22:25 /etc/nixos

$ id
uid=1000 ...

nix-env --version output: nix-env (Nix) 2.20.5

Priorities

Add :+1: to issues you find important.

trofi avatar Mar 09 '24 09:03 trofi

Currently working it around with $ git config --global --add safe.directory /etc/nixos as current user.

trofi avatar Mar 09 '24 09:03 trofi

Yes, that's very likely a consequence of https://nvd.nist.gov/vuln/detail/CVE-2022-24765 from the Git side.

We could probably specify the path to the git repo explicitly to disable that check when we know it's safe (and once https://github.com/NixOS/nix/pull/6464 is merged 😒 )

thufschmitt avatar Mar 09 '24 09:03 thufschmitt

I suspect I hit the same issue after updating. Same nix version (2.20.5) but I am using a flake repo in my home directory to manage my NixOS machine.

sudo nixos-rebuild failed because of the ownership issue, and being on nixos using a nixos-rebuild switch command failed for the user. I needed to change the ownership of my flake repo to root to let me update.

sudo works above because your /etc/nixos is owned by root.

❯ sudo nixos-rebuild switch --flake .#carbon
error:
       … while fetching the input 'git+file:///home/patrick/.dotfiles'

       error: opening Git repository '/home/patrick/.dotfiles': repository path '/home/patrick/.dotfiles/' is not owned by current user
❯ nixos-rebuild switch --flake .#carbon
building the system configuration...
error: creating symlink from '/nix/var/nix/profiles/.0_system' to 'system-745-link': Permission denied
❯ sudo chown root /home/patrick/.dotfiles/ -R
❯ sudo nixos-rebuild switch --flake .#carbon
building the system configuration
<----snipped---->

arcuru avatar Mar 13 '24 18:03 arcuru

I can think of two workarounds for nixos-rebuild:

  1. Use nixos-rebuild switch --use-remote-sudo instead of sudo nixos-rebuild switch.
  2. Bind mount /etc/nixos to another path and set owner to you.

Still waiting for a proper solution.

Aleksanaa avatar Mar 17 '24 10:03 Aleksanaa

Triaged in Nix team meeting:

  • @edolstra @Ericson2314 have doubt we're vulnerable to the CVE in question, since we specify the path to the Git repo, so it shouldn't search up the tree. We may just want to disable the behavior by default.
  • @fricklerhandwerk doubts this is anything but a purely flake issue (i.e. experimental does not mean stable). And doing fetchGit on a local directory would likely be holding it wrong. If you want to filter for files, use the fileset library, it's just as convenient and scales better.
    • @roberth: people use it that way, period
  • If we want to disable it, have to check if it's even possible in libgit2. @trofi would you like to help out resolving the issue?

fricklerhandwerk avatar Mar 27 '24 20:03 fricklerhandwerk

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/2023-03-27-nix-team-meeting-134/42961/1

nixos-discourse avatar Apr 08 '24 15:04 nixos-discourse

This is now impacting a broader range of users as nix has been updated to 2.24.9 on nixos-unstable.

GaetanLepage avatar Oct 16 '24 12:10 GaetanLepage

I'm also experiencing this issue. Switching my flake repo to be owned by root was the only solution that worked for me. On nix version 2.24.9 from unstable.

ModestTG avatar Oct 18 '24 19:10 ModestTG

It seems feasible to implement looser rules than what seems to be implemented in libgit2, but we should also consider the possibility that this is a libgit2 bug, as the error in this issue is from libgit2, and the git cli apparently does not complain about this.

A fix in libgit2 may be easier to implement, and patching is not a problem, especially if upstream agrees about the semantics.

Alternatively it seems that we could disable libgit2's check by setting safe.directory (temporarily, in the Nix process), using the wildcard. Slightly safer, for Nix library users would be to append to safe.directory around here, using this slightly cryptic function. However, we should only do any of that if libgit2 implements incomplete or incorrect logic and they don't want to change it.

roberth avatar Oct 19 '24 10:10 roberth

Any help would be appreciated.

roberth avatar Oct 19 '24 10:10 roberth

Ran into this issue trying to build a flake using a Kubernetes Gitlab Ci CD runner w/o root. Also on the nix:2.24.9 image, running git config --global --add safe.directory "$(pwd)" seems a fine workaround until this is addressed by nix.

vonjackets avatar Oct 25 '24 16:10 vonjackets

Is there a way to downgrade just the nix package to the one in nixos-24.05 while this gets resolved? I'm not sure what flake configuration that would be. I'm unable to get the fix suggested by @vonjackets to work on my system. I have to switch my git repo to have root:root permissions in order to nixos-rebuild at all.

ModestTG avatar Oct 31 '24 01:10 ModestTG

Doesn't work for me neither. Even with the workaround now stopped working, I've tried in my global git config:

[safe]
directory = "/PATH/TO/FLAKE"

or

[safe]
directory = "*"

Works only settings the ownership of the flake repo (and .git repo) to root

cooparo avatar Nov 01 '24 09:11 cooparo

running git config --global --add safe.directory "$(pwd)" seems a fine workaround

IIUC this should be run as root, e.g:

cd /path/to/flake
sudo git config --global --add safe.directory "$PWD"

roberth avatar Nov 01 '24 14:11 roberth

Good catch, the official nix image I'm using runs as root by default, I hadn't caught that

Yahoo Mail: Search, Organize, Conquer

On Fri, Nov 1, 2024 at 10:19, Robert @.***> wrote:

running git config --global --add safe.directory "$(pwd)" seems a fine workaround

IIUC this should be run as root, e.g: cd /path/to/flake sudo git config --global --add safe.directory "$PWD" — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.Message ID: @.***>

vonjackets avatar Nov 01 '24 14:11 vonjackets

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/flake-auto-upgrade-fails-because-git-repo-not-owned-by-current-user/61893/4

nixos-discourse avatar Mar 20 '25 04:03 nixos-discourse

I'm running the following module in NixOS and nix-darwin:

{ ... }:
{
  home-manager.users.root.programs.git.enable = true;
  home-manager.users.root.programs.git.extraConfig.safe.directory = "...";
}

Enzime avatar May 09 '25 04:05 Enzime