--extra-files copied to target machine with original user's ownership
madsamjp opened this issue · 7 comments
I'm having an issue with this command:
install -d -m755 "$temp/persist/etc/ssh"
...
chmod 600 "$temp/persist/etc/ssh/ssh_host_ed25519_key"
chmod 644 "$temp/persist/etc/ssh/ssh_host_ed25519_key.pub"
nix run github:nix-community/nixos-anywhere -- --extra-files "$temp" --flake .#"$config" root@"$ip" -i "$HOME/.ssh/id_ed25519"
nixos-anywhere seems to be copying the extra files as the original user, thus breaking my installation. /etc and /etc/ssh are owned by 1000:users, when they should be root:root
I noticed this after the recent rsync related merge today: #325, so not sure if it's related to that, or if I'm doing something dumb.
I've run the command using the last revision before today's merge, and the issue goes away confirming that the recent merge is the source of the issue:
nix run github:nix-community/nixos-anywhere/242444d228636b1f0e89d3681f04a75254c29f66 -- --extra-files "$temp" --flake .#"$config" root@"$ip" -i "$HOME/.ssh/id_ed25519"
This makes sense. Sorry for that. The original idea is to let the user setup permissions etc. But well, this situation should be better taken care of.
This issue ruined my entire weekend, which is ironic for a tool supposed to set up an instance in less than 5 minutes!
Indeed, it crashes the entire installation, especially the SSHD server! For security reasons, SSH is strict about the owner of the /var/empty
file. However, if you mistakenly copy a file into /etc/
, the entire root directory changes its owner to the user.
You can see on the new installation, the boot problem
Several options are possible:
- Run
nixos-anywhere
as root, which I am not very keen on. - Offer the possibility to execute a post-script on new installation
Also, recommending the use of the command nix run github:nix-community/nixos-anywhere
is counterproductive because it uses the latest version and not locked version
I think it would be better to advise using nix run nixpkgs#nixos-anywhere
or similar so that it uses a locked version ?
@badele Please try nix run github:Prince213/nixos-anywhere/extra-files
and see if that solves the problem? All files will be own by root
.
@badele Please try
nix run github:Prince213/nixos-anywhere/extra-files
and see if that solves the problem? All files will be own byroot
.
Hi @Prince213 thanks for your quick contribution, it seems to be working now.
@badele Please try
nix run github:Prince213/nixos-anywhere/extra-files
and see if that solves the problem? All files will be own byroot
.Hi @Prince213 thanks for your quick contribution, it seems to be working now.
@badele Glad it helped!