How to use sudo in home.activation scripts?

sandptel · July 12, 2024, 9:29pm

I want to do something like this but have tried and also think this is not correct.

home.activation = {
      spicetify-apply = lib.hm.dag.entryAfter ["writeBoundary"] ''
        run ${pkgs.spicetify-cli}/bin/spicetify apply
        run sudo chmod a+wr /var/lib/flatpak/app/com.spotify.Client/x86_64/stable/active/files/extra/share/spotify
        run sudo chmod a+wr -R /var/lib/flatpak/app/com.spotify.Client/x86_64/stable/active/files/extra/share/spotify/Apps
      '';
    };

Can anyone please tell me any alternative or correct way? Thanks!

waffle8946 · July 12, 2024, 9:37pm

HM is for use-level management; if you want to manage the system you’d use a NixOS option or system-manager or so on.

Though I’m not sure what you intend to accomplish with said commands here.

sandptel · July 12, 2024, 9:54pm

Here, I want to provide spicetify permission to edit those folders so that it can apply configurations there.

TLATER · July 12, 2024, 10:01pm

Doing that in the first place is the smell here - it’s almost certainly an XY problem. What are you trying to accomplish with this?

waffle8946 · July 12, 2024, 10:05pm

Exactly as said above. I’ve used spicetify for months without needing root access, so this struck me as odd.

sandptel · July 13, 2024, 12:43am

Sorry for not mentioning the whole thing,
Actually I was trying to setup a home-manager config for my self and was trying to setup spicetify. And then tried to find a hm module and didn’t find that.

I have learned about nix modules recently and Out of shear curiosity I tried to create a hm module to
do something like this -

module.spicetify={
enable=true;
theme= "Dribbblish";
color = "catppuccin-mocha";
};

And I have created that too and It works fine. But I just want to make sure that if I reinstall my system completely from the dotfiles then It should execute these commands automatically.

Therefore lead by my curiosity asked it here. I am sure that there exist a better way to do this using nix, its just that I am quite a lot new to nix. Again sorry for the confusion

waffle8946 · July 13, 2024, 12:55am

I use GitHub - the-argus/spicetify-nix: A nix flake for configuring spicetify. Includes packaging for many popular themes and extensions. for this

sandptel · July 13, 2024, 1:10am

Damn crazy, I think they should mention this more on their website too.

sandptel · July 13, 2024, 1:17am

Thanks for response @waffle8946 but I still didn’t get the answer if sudo could be used in these types of scripts??

waffle8946 · July 13, 2024, 2:12am

I thought my first reply answered that - don’t use sudo in HM.

(I’d go further and say, if you’re ever thinking about using sudo in a script, you might want to reconsider your approach.)

TLATER · July 13, 2024, 3:28am

To expand on that: sudo simply executes something as another user, limited by some configuration. It’s a very powerful tool, but its simplicity makes it very hard to use. You need to be incredibly careful in controlling what exactly is permitted, and the environment it is called in, to both prevent accidental privilege escalation while still giving all users involved enough permissions to do what they need. Furthermore, if something is not possible as a specific user, the application is almost certainly designed for it to be impossible - limiting the permissions of a specific user is a deliberate choice, messing with that breaks the entire design.

All of this is less bad when you’re doing just a small task manually, but the moment you script it it becomes fairly easy to misuse. Honestly even using it manually is often a mistake, many novices break their systems that way. NixOS is luckily somewhat robust to this thanks to the nix store being read-only even to the root user, but you can definitely still screw some stuff up.

sudo should only be used if you’re absolutely certain of every single side effect it has, and that there is no better way to achieve what you want. I’d say making flatpak apps world-writeable is definitely not within the realm of knowing every single side effect it has - imagine a user from a sandbox that ends up executing malicious code overwriting your spotify executable with a keylogger, for example. This kind of stuff completely breaks the assumptions around user management that allow distributions and applications to manage security layers for you. It kind of defies the purpose of using flatpak altogether.

Even if sudo doesn’t cause any actual problems, it’s quite hard to use in scripts, because by design it requires some authentication from the user. This means that your scripts now need to run interactively - which makes many use cases completely impossible.

You could configure sudo to permit very specific commands, or give it some kind of long cache, but now we’re back to compromising security.

The point is: sudo should only ever be used to perform one-off administrative tasks with a very specific scope. Don’t use it as a crutch to “fix” file permissions when you aren’t sure why they are the way they are, and definitely don’t script it to make such changes.

If you really need to execute something as another user, it’s best to make that user do that in the first place via something more controlled like systemd. Managing disk mounts is, for example, best done via udisks. If you need to execute something as another user, home-manager is definitely not the right place to do that, since it’s configuration for your user’s home directory. It should never be changing files not owned by your user.

sandptel · July 13, 2024, 3:58pm

Got it! Thanks for sharing

Brisingr05 · July 15, 2024, 7:42am

I switched to this fork by @Gerg-L since it’s better maintained.

Gerg-L · July 15, 2024, 4:30pm

Yeah I basically completely rewrote it