Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Nix: inability to resolve some ~wrapped / impure setuid executables such as sudo #29

New issue
New issue
Open
Open
Nix: inability to resolve some ~wrapped / impure setuid executables such as sudo#29
Labels
bugSomething isn't workingfeedback wantedLooking for user input.help wantedExtra attention is needed
@abathur

Description

@abathur
abathur
opened on May 28, 2021

Nix has to special-case some setuid executables, and this disrupts resholve's ability to resolve them to absolute paths. (There are a number of interlocking issues here, and I suspect this will take some time--and some willingness to be squeaky wheels--to get this fixed in Nixpkgs. I vaguely plan to document these issues--but for now I'm just outlining.)

I don't have a lot of the Nix(OS)/nixpkgs system-level perspective to have the best handle on all of this. I get the impression there isn't a canonical list, but guessing from the run wrappers on my own NixOS system, this seems like a fair list:

chsh dbus-daemon-launch-helper fusermount3 fusermount kcheckpass kwin_wayland mount newgidmap newgrp newuidmap passwd ping pkexec polkit-agent-helper-1 sg start_kdeinit sudoedit sudo su umount unix_chkpwd

In the near future, I'll update resholve to raise the following error for a cross-platform subset (ping chsh newgrp passwd su sudo mount umount) of these whenever NIX_BUILD_TOP is in the environment:

There is not yet a good way to resolve 'sudo' in Nix builds. Your feedback may help me (and the Nix community) understand what the best course of action is here.

See https://github.com/abathur/resholve/issues/29 for info, feedback, and potential workarounds.

In the short term, your best bets for working around this are:

  1. add a fake directive via the CLI or the Nix API. here's an example of what this would look like for sudo:
    • CLI: --fake 'external:sudo'
    • Nix: 
      fake = {
  external = [ "sudo" ];
};
  2. Use resholve's prologue option to inject (at the head of the script) some refinement based on your context:
    • A run-time check that will abort execution if the lookup fails.
    • Add/change the PATH to ensure the lookup will succeed.
    • Define a function or alias that executes any specific absolute path you need.

In some more limited cases, you may know that you have access to an executable that doesn't actually need a setuid wrapper and you really just need resholve to get out of your way. If you're really sure, you can tell it to back off by adding fix directive via the CLI or the Nix API. Here's an example of what this would look like for sudo:

  • CLI: --fix 'sudo'

  • Nix:

    fix = {
    sudo = true;
};

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingfeedback wantedLooking for user input.help wantedExtra attention is needed

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions