How to make a derivation's executables, have the +s permission?

So today I learned something about mount: There’s a not well known feature of it, which allows specifying in fstab a bind mount with the users option, and this allows non root users to mount a directory on demand, without root permissions. Here’s where I learned it:

It appears (according to this discussion that mount needs to have these permissions in order to allow this feature:

-rwsr-xr-x 1 root root 66944 Aug 12 23:14 mount

The mount in the /nix/store doesn’t have these permissions (naturally). Therefor it is incapable of performing this operation. It can be verified if one runs:

cp $(readlink --canonicalize $(where mount)) ./
sudo chown root:root ./mount
sudo chmod u+ws ./mount

And then tries to run ./mount /local/dir vs mount /local/dir.

I’d like to write PR that will make utillinux set this permission to the mount executable. A glance at:

$ find -L /run/current-system/sw/bin -perm -4000

Suggests that this is the only executable we do set these permissions ? But I couldn’t find where it came from.

Files in /nix/store should never have setuid permissions. That’s always done through wrapper scripts that should be created automatically in NixOS that reside in /run/wrappers/bin.

$ which ping
$ which unix_chkpwd

This is configured through this option:

It appears that this isn’t done for mount on NixOS. Not sure if that’s intentional or just an oversight.


Hmm I see. So what do you think would be the best way to make this happen - via a new, enabled by default module? Or perhaps directly in utillinux itself? As in:

The derivation utillinux is unable to do it. It’s part of the system configuration.
The line you’re linking to only creates a link in sbin, which has no influence on the wrapper.
The actual wrapping happens through this:

An easier example would be the mtr module, which only creates a wrapper.

1 Like

Maybe here would be a good option.


Thanks @primeos, that was easy :), now live at: .