[Nix-dev] Polkit action files installed via nix-env don't appear to be recognised by Polkit/Pkexec/Pkaction

Roger Qiu roger.qiu at matrix.ai
Wed May 31 08:47:42 CEST 2017


Yea that seems right, allowing users to nix-env install things, 
everything must be unprivileged, allowing the usage of such polkit files 
in nix-env means the users can make use of pkexec to elevate to root 
when executing anything.

However in non-package manager use cases, installing such a package with 
`make install` would require super user privileges to install the action 
policy file into /usr/share/polkit-1/actions. Therefore nix-env could 
make use of such a fact, and instead suggest the user to install using 
`sudo nix-env` if the package has a polkit policy file. This would 
prevent such a security hole, since the user must be root to be able to 
install such a package. Such suggestions could be encoded in the nix 
expression file.

Which brings up the next question, would installing via `sudo nix-env` 
setup the polkit policy files properly such that polkit will know about it?

Thanks,
Roger

On 31/05/2017 4:34 PM, Bjørn Forsman wrote:
> On 31 May 2017 at 07:44, Roger Qiu <roger.qiu at matrix.ai> wrote:
>> Hi all,
>>
>> Normally a polkit action file on a non-NixOS system would be installed in
>> /usr/share/polkit-1/actions. On NixOS this location is instead at
>> /run/current-system/sw/share/polkit-1/actions. The action files stored here
>> are recognised by polkit, which can be demonstrated by running `pkaction`,
>> this results in showing the titles of each action id.
>>
>> However some packages may supply action files, and are installed via
>> nix-env. The action files in this case are instead stored in
>> ~/.nix-profile/share/polkit-1/actions. My tests show that these action files
>> are not being recognised by polkit. Running pkaction does not show any
>> package the action files that are inside ~/.nix-profile/...
>>
>> Is there a work around here?
>>
>> Browsing the polkit docs doesn't mention anything about looking up
>> user-specific action files, they all just say action files are to be at
>> /usr/share/polkit-1/actions. If polkit only looks up 1 location, then should
>> nix-env be symlinking action files into
>> /run/current/system/sw/share/polkit-1/actions?
> Wouldn't that mean unprivileged users are allowed to raise their own
> permissions? (That doesn't sound like a good idea.)
>
> Best regards,
> Bjørn Forsman

-- 
Founder of Matrix AI
https://matrix.ai/
+61420925975



More information about the nix-dev mailing list