diff options
| author | Alexander Bantyev <balsoft@balsoft.ru> | 2023-02-17 02:42:48 +0400 |
|---|---|---|
| committer | Alexander Bantyev <balsoft@balsoft.ru> | 2023-02-17 19:14:51 +0400 |
| commit | ff8fd21304e9e61c1713eea86e4b50e317b635c6 (patch) | |
| tree | 59bbb6cc265bc11d8acbac5e0c4854c419741f37 | |
| parent | Merge pull request #205878 from luizirber/lirber/screed (diff) | |
| download | nixpkgs-origin/sudo-by-default.tar.gz | |
nixos-rebuild: use sudo when whoami != rootorigin/sudo-by-default
Currently, executing `nixos-rebuild switch` as a non-root user will
result in a somewhat confusing error about being unable to link a
profile to a nix store path. This is not ideal, especially as we already
have most of the code to handle this properly and use `sudo` to elevate
permissions to install.
This is preferrable for flakes (better eval caching), and also more
intuitive for new users.
| -rw-r--r-- | nixos/doc/manual/manpages/nixos-rebuild.8 | 9 | ||||
| -rw-r--r-- | nixos/doc/manual/release-notes/rl-2305.section.md | 2 | ||||
| -rwxr-xr-x | pkgs/os-specific/linux/nixos-rebuild/nixos-rebuild.sh | 14 |
3 files changed, 22 insertions, 3 deletions
diff --git a/nixos/doc/manual/manpages/nixos-rebuild.8 b/nixos/doc/manual/manpages/nixos-rebuild.8 index 8ff59d6da9cf..39f28535490e 100644 --- a/nixos/doc/manual/manpages/nixos-rebuild.8 +++ b/nixos/doc/manual/manpages/nixos-rebuild.8 @@ -56,7 +56,9 @@ must run .Nm to make the changes take effect. It builds the new system in .Pa /nix/store Ns -, runs its activation script, and stop and (re)starts any system services if +, runs its activation script (invoking +.Ic sudo Ns +\& if required), and stop and (re)starts any system services if needed. Please note that user services need to be started manually as they aren't detected by the activation script at the moment. . @@ -355,6 +357,11 @@ or is also set. This is useful when the target-host connection to cache.nixos.org is faster than the connection between hosts. . +.It Fl -no-auto-sudo +When set, disables automatic use of +.Ic sudo Ns +\& when deploying to localhost as a non-root user. +. .It Fl -use-remote-sudo When set, nixos-rebuild prefixes remote commands that run on the .Fl -build-host diff --git a/nixos/doc/manual/release-notes/rl-2305.section.md b/nixos/doc/manual/release-notes/rl-2305.section.md index 460d03b6c6de..5a9a15b93974 100644 --- a/nixos/doc/manual/release-notes/rl-2305.section.md +++ b/nixos/doc/manual/release-notes/rl-2305.section.md @@ -205,6 +205,8 @@ In addition to numerous new and upgraded packages, this release has the followin - A new `virtualisation.rosetta` module was added to allow running `x86_64` binaries through [Rosetta](https://developer.apple.com/documentation/apple-silicon/about-the-rosetta-translation-environment) inside virtualised NixOS guests on Apple silicon. This feature works by default with the [UTM](https://docs.getutm.app/) virtualisation [package](https://search.nixos.org/packages?channel=unstable&show=utm&from=0&size=1&sort=relevance&type=packages&query=utm). +- `nixos-rebuild` now uses `sudo` when deploying to localhost as a non-root user. This behaviour can be disabled with `--no-auto-sudo`. + - The new option `users.motdFile` allows configuring a Message Of The Day that can be updated dynamically. - The `root` package is now built with the `"-Dgnuinstall=ON"` CMake flag, making the output conform the `bin` `lib` `share` layout. In this layout, `tutorials` is under `share/doc/ROOT/`; `cmake`, `font`, `icons`, `js` and `macro` under `share/root`; `Makefile.comp` and `Makefile.config` under `etc/root`. diff --git a/pkgs/os-specific/linux/nixos-rebuild/nixos-rebuild.sh b/pkgs/os-specific/linux/nixos-rebuild/nixos-rebuild.sh index f90da9db3bf8..d747e7a78815 100755 --- a/pkgs/os-specific/linux/nixos-rebuild/nixos-rebuild.sh +++ b/pkgs/os-specific/linux/nixos-rebuild/nixos-rebuild.sh @@ -32,6 +32,7 @@ specialisation= buildHost= targetHost= remoteSudo= +noAutoSudo= verboseScript= noFlake= # comma separated list of vars to preserve when using sudo @@ -127,6 +128,9 @@ while [ "$#" -gt 0 ]; do --use-remote-sudo) remoteSudo=1 ;; + --no-auto-sudo) + noAutoSudo=1 + ;; --flake) flake="$1" shift 1 @@ -153,8 +157,10 @@ while [ "$#" -gt 0 ]; do esac done +sudoCommand=(sudo --preserve-env="$preservedSudoVars" --) + if [[ -n "$SUDO_USER" || -n $remoteSudo ]]; then - maybeSudo=(sudo --preserve-env="$preservedSudoVars" --) + maybeSudo=("${sudoCommand[@]}") fi # log the given argument to stderr if verbose mode is on @@ -182,7 +188,11 @@ buildHostCmd() { targetHostCmd() { if [ -z "$targetHost" ]; then - runCmd "${maybeSudo[@]}" "$@" + if [ "$(whoami)" = root ] || [ -n "$noAutoSudo" ]; then + runCmd "${maybeSudo[@]}" "$@" + else + runCmd "${sudoCommand[@]}" "$@" + fi else runCmd ssh $SSHOPTS "$targetHost" "${maybeSudo[@]}" "$@" fi |