--extra-files copied to target machine with original user's ownership

Question

--extra-files copied to target machine with original user's ownership

Closed this issue 4 months ago · 7 comments

I'm having an issue with this command:

install -d -m755 "$temp/persist/etc/ssh"
...
chmod 600 "$temp/persist/etc/ssh/ssh_host_ed25519_key"
chmod 644 "$temp/persist/etc/ssh/ssh_host_ed25519_key.pub"
nix run github:nix-community/nixos-anywhere -- --extra-files "$temp" --flake .#"$config" root@"$ip" -i "$HOME/.ssh/id_ed25519"

nixos-anywhere seems to be copying the extra files as the original user, thus breaking my installation. /etc and /etc/ssh are owned by 1000:users, when they should be root:root

I noticed this after the recent rsync related merge today: #325, so not sure if it's related to that, or if I'm doing something dumb.

Answer 1 · 2024-05-26T20:17:10.000Z

I've run the command using the last revision before today's merge, and the issue goes away confirming that the recent merge is the source of the issue:

nix run github:nix-community/nixos-anywhere/242444d228636b1f0e89d3681f04a75254c29f66 -- --extra-files "$temp" --flake .#"$config" root@"$ip" -i "$HOME/.ssh/id_ed25519"

Answer 2 · 2024-05-27T02:24:22.000Z

This makes sense. Sorry for that. The original idea is to let the user setup permissions etc. But well, this situation should be better taken care of.

Answer 3 · 2024-05-27T18:29:13.000Z

This issue ruined my entire weekend, which is ironic for a tool supposed to set up an instance in less than 5 minutes!

Indeed, it crashes the entire installation, especially the SSHD server! For security reasons, SSH is strict about the owner of the /var/empty file. However, if you mistakenly copy a file into /etc/, the entire root directory changes its owner to the user.

You can see on the new installation, the boot problem

Several options are possible:

Run nixos-anywhere as root, which I am not very keen on.
Offer the possibility to execute a post-script on new installation

Answer 4 · 2024-05-27T18:53:37.000Z

Also, recommending the use of the command nix run github:nix-community/nixos-anywhere is counterproductive because it uses the latest version and not locked version

I think it would be better to advise using nix run nixpkgs#nixos-anywhere or similar so that it uses a locked version ?

Answer 5 · 2024-05-28T04:53:59.000Z

@badele Please try nix run github:Prince213/nixos-anywhere/extra-files and see if that solves the problem? All files will be own by root.

Answer 6 · 2024-05-28T06:04:23.000Z

@badele Please try nix run github:Prince213/nixos-anywhere/extra-files and see if that solves the problem? All files will be own by root.

Hi @Prince213 thanks for your quick contribution, it seems to be working now.

Answer 7 · 2024-05-28T06:09:21.000Z

@badele Please try nix run github:Prince213/nixos-anywhere/extra-files and see if that solves the problem? All files will be own by root.

Hi @Prince213 thanks for your quick contribution, it seems to be working now.

@badele Glad it helped!