[Nix-dev] Polkit action files installed via nix-env don't appear to be recognised by Polkit/Pkexec/Pkaction
Roger Qiu
roger.qiu at matrix.ai
Wed May 31 09:42:11 CEST 2017
Hi Linus,
Good response! This would be a great info in a wiki somewhere.
I have a question:
> To allow nix-env as root to install polkit actions, you could probably
add /nix/var/nix/profiles/default to polkit's search path.
Disregarding it being a bad idea, how is this possible? Are you
suggesting overriding the derivation during package build of polkit?
Thanks,
Roger
On 31/05/2017 5:35 PM, Linus Heckemann wrote:
> On 31/05/17 07:47, Roger Qiu wrote:
>> Yea that seems right, allowing users to nix-env install things,
>> everything must be unprivileged, allowing the usage of such polkit files
>> in nix-env means the users can make use of pkexec to elevate to root
>> when executing anything.
>>
>> However in non-package manager use cases, installing such a package with
>> `make install` would require super user privileges to install the action
>> policy file into /usr/share/polkit-1/actions. Therefore nix-env could
>> make use of such a fact, and instead suggest the user to install using
>> `sudo nix-env` if the package has a polkit policy file. This would
>> prevent such a security hole, since the user must be root to be able to
>> install such a package. Such suggestions could be encoded in the nix
>> expression file.
>>
>> Which brings up the next question, would installing via `sudo nix-env`
>> setup the polkit policy files properly such that polkit will know about it?
> No. nix-env modifies the default, not the system profile (when running
> as root) because modifying the system profile requires activating it.
>
> What you'd want in this case is usually to add the package in question
> to environment.systemPackages and use nixos-rebuild switch to switch to
> the new generation. This results in the policy files ending up in
> /run/current-system/sw/share/polkit-1/actions, providing the
> security.polkit.enable option is set to true. That way the configuration
> is declarative which is more consistent with "The NixOS way".
>
> To allow nix-env as root to install polkit actions, you could probably
> add /nix/var/nix/profiles/default to polkit's search path. This is a bad
> idea compared to using the systemwide declarative configuration for
> several reasons though:
>
> - The changes won't be picked up automatically, you would have to
> restart polkit.service yourself. When using the system configuration,
> this is done by the activation script.
>
> - The packages won't be updated together with the rest of the system.
> This could be a security issue depending on whether you remember to run
> nix-env -u as root as frequently as nixos-rebuild.
>
> - The configuration isn't declarative and there's no single source of
> truth for where rules come from! This is the norm on most other
> distributions of course, but who really wants a less transparent system?
>
> So overall I recommend adding any packages whose polkit actions you want
> available to systemPackages rather than using nix-env to manage them.
>
> Best regards,
> Linus
> _______________________________________________
> nix-dev mailing list
> nix-dev at lists.science.uu.nl
> https://mailman.science.uu.nl/mailman/listinfo/nix-dev
--
Founder of Matrix AI
https://matrix.ai/
+61420925975
More information about the nix-dev
mailing list