[Nix-dev] sudo and nix-channel (was: Re: NixOS channel)
Florian Friesdorf
flo at chaoflow.net
Sun Jun 17 18:51:32 CEST 2012
On Sun, 17 Jun 2012 15:46:02 +0400, Kirill Elagin <kirelagin at gmail.com> wrote:
> Ahh... I don't get how this works. According to `man sudoers`, env_reset is
> enabled by default, so $HOME should be set to the target user's home (and,
> indeed, that happens in my Gentoo box).
> On the other hand, description of `-H` option in `man sudo` states that “By
> default, sudo does not modify HOME (see set_home and always_set_home in
> sudoers(5))“, while `man sudoers` says that always_set_home “is off by
> default”. Who to trust??
>
> Either the environment should be reset or nix-channel should use $USER
> instead of $HOME to find the path to .nix-channels.
thx! I forgot about -H, this works:
$ sudo -H nix-channel --update
In case of sudo to root, I think we always want -H implied, but in case
of sudo -u <someuser>, this might be different.
possibilities:
1. set always_set_home, it is not possible to keep the sudoing user's
HOME
2. find a way to set -H if sudoing to root
3. find a way to disable always_set_home from the cmdline
4. educate users to use -H option
At least with only a quick scan of sudo and sudoers man pages, I could
not find a solution for 2 and 3. 1 feels limiting, so I currently tend
to 4.
What do you think?
regards
florian
> 2012/6/17 Florian Friesdorf <flo at chaoflow.net>
>
> > On Tue, 15 May 2012 14:11:43 -0400, Eelco Dolstra <
> > eelco.dolstra at logicblox.com> wrote:
> > > Hi all,
> > >
> > > Since a few weeks there is a NixOS channel, which is now the default
> > mechanism
> > > for keeping NixOS up to date. (A channel is a Nix mechanism for
> > distributing a
> > > consistent set of Nix expressions and binaries.) A quick summary on how
> > to use it:
> > >
> > > $ nix-channel --add
> > http://nixos.org/releases/nixos/channels/nixos-unstable
> > > $ nix-channel --update
> >
> > $ sudo nix-channel --add ...
> >
> > creates the ~/.nix-channels in the HOME of the user running sudo, not
> > /root.
> >
> > $ sudo nix-channel --update
> >
> > creates ~/.nix-defexpr/channels in the HOME of the user running sudo,
> > not /root.
> >
> >
> > $ sudo -i
> > # nix-channel --add ...
> > # nix-channel --update
> >
> > work like expected inside /root.
> >
> >
> > It feels not many people are using sudo to directly run commands or to
> > rephrase: is anybody except me using sudo without -i?
> >
> > Do we want to support running commands with sudo and if, what is the
> > expected behaviour?
> >
> > Use user config but do things as root?
> > Use root config and do things as root?
> >
> > I think the latter, as using user config as root is dangerous and
> > especially in case of the channels, feels wrong.
> >
> > better:
> >
> > $ nix-channel --add (adds a channel for the current user)
> > $ sudo nix-channel --add (adds a channel for root)
> >
> >
> > regards
> > florian
> > --
> > Florian Friesdorf <flo at chaoflow.net>
> > GPG FPR: 7A13 5EEE 1421 9FC2 108D BAAF 38F8 99A3 0C45 F083
> > Jabber/XMPP: flo at chaoflow.net
> > IRC: chaoflow on freenode,ircnet,blafasel,OFTC
> >
> > _______________________________________________
> > nix-dev mailing list
> > nix-dev at lists.science.uu.nl
> > http://lists.science.uu.nl/mailman/listinfo/nix-dev
> >
> >
Non-text part: text/html
--
Florian Friesdorf <flo at chaoflow.net>
GPG FPR: 7A13 5EEE 1421 9FC2 108D BAAF 38F8 99A3 0C45 F083
Jabber/XMPP: flo at chaoflow.net
IRC: chaoflow on freenode,ircnet,blafasel,OFTC
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: not available
Url : http://lists.science.uu.nl/pipermail/nix-dev/attachments/20120617/574e72ce/attachment.bin
More information about the nix-dev
mailing list