[Nix-dev] Polkit action files installed via nix-env don't appear to be recognised by Polkit/Pkexec/Pkaction
Linus Heckemann
acc at sphalerite.org
Wed May 31 09:35:10 CEST 2017
On 31/05/17 07:47, Roger Qiu wrote:
> Yea that seems right, allowing users to nix-env install things,
> everything must be unprivileged, allowing the usage of such polkit files
> in nix-env means the users can make use of pkexec to elevate to root
> when executing anything.
>
> However in non-package manager use cases, installing such a package with
> `make install` would require super user privileges to install the action
> policy file into /usr/share/polkit-1/actions. Therefore nix-env could
> make use of such a fact, and instead suggest the user to install using
> `sudo nix-env` if the package has a polkit policy file. This would
> prevent such a security hole, since the user must be root to be able to
> install such a package. Such suggestions could be encoded in the nix
> expression file.
>
> Which brings up the next question, would installing via `sudo nix-env`
> setup the polkit policy files properly such that polkit will know about it?
No. nix-env modifies the default, not the system profile (when running
as root) because modifying the system profile requires activating it.
What you'd want in this case is usually to add the package in question
to environment.systemPackages and use nixos-rebuild switch to switch to
the new generation. This results in the policy files ending up in
/run/current-system/sw/share/polkit-1/actions, providing the
security.polkit.enable option is set to true. That way the configuration
is declarative which is more consistent with "The NixOS way".
To allow nix-env as root to install polkit actions, you could probably
add /nix/var/nix/profiles/default to polkit's search path. This is a bad
idea compared to using the systemwide declarative configuration for
several reasons though:
- The changes won't be picked up automatically, you would have to
restart polkit.service yourself. When using the system configuration,
this is done by the activation script.
- The packages won't be updated together with the rest of the system.
This could be a security issue depending on whether you remember to run
nix-env -u as root as frequently as nixos-rebuild.
- The configuration isn't declarative and there's no single source of
truth for where rules come from! This is the norm on most other
distributions of course, but who really wants a less transparent system?
So overall I recommend adding any packages whose polkit actions you want
available to systemPackages rather than using nix-env to manage them.
Best regards,
Linus
More information about the nix-dev
mailing list