Making shell commands available *to root only*, from Nixos config, without home-manager

Help
1

Without using home-manager (I can’t use home-manager until nixos: optionally use user service for activation (updates #2548) by zackw · Pull Request #6981 · nix-community/home-manager · GitHub is merged, and also it’s not clear to me whether home-manager works at all for the root account), is it possible to write something in a NixOS configuration.nix that will make a set of shell-command packages available to the root account, but not system-wide? Concretely, take this module…

{ lib, pkgs, ... }:
{
  environment.defaultPackages = with pkgs; [
    bind.dnsutils
    bind.host
    curl
    file
    lsof
    nvi
    rsync
    strace
    traceroute
    tinyxxd
    whois
  ];


  programs.git.enable = true;
  programs.htop.enable = true;
  programs.less = {
    enable = true;
    lessopen = lib.mkForce null;
  };
  environment.sessionVariables.EDITOR = lib.mkForce "nvi";
}

… and make all its effects apply only to the root account, as if they were defined by the root account’s profile, but without actually creating a profile for the root account.

(You may assume that the systemwide configuration includes programs.nano.enable=false and environment.defaultPackages=lib.mkForce [].)

2

Does users.users.<name>.packages work on the root account?

2 Likes
3

Seconded, this would be my exact go-to given the ask.

4

You can’t really do this for only the root account without some very manual finagling.

5

It looks like I can get most of what I want with users.users.root.packages. The biggest missing piece is a declarative way to set environment variables for specific users (something like users.users.<name>.environment.sessionVariables).

6

You could add an if id -u block to environment.loginShellInit. Assuming you want to set up a login environment for the root user.

7

That might do for a workaround, thanks.

8

Hjem is an alt project compared to home-manager that does allow management of root, though it’s merely a simple mechanism for basic tasks like linking files. However, that is likely enough to set the appropriate rc file.

9

Hjem does not currently support activation-on-login, so they’d likely reject it for the same reason they rejected home-manager.

10

The point was only for a way to configure the root’s shell environment. I’m not sure if that is what they’re looking for but linking a file into root’s home might be good enough, which can be done with hjem and cannot be done at all with home-manager.

11

Well, no, they have other requirements:

and fyi I’m one of the authors of hjem :wink: and it currently doesn’t satisfy this requirement, though we’re open to it. I’ve not tested root user config either.

12

I’m not arguing, it won’t fully solve the problem as stated, but can potentially assist as an amendable solution as brought up later in the thread.

I can confirm hjem manages root, I’ve been using it for that purpose over a year and it’s seamless.

13

Thinking about it some more, it occurs to me that I don’t need pam_mount compatibility on the machine where I was trying to restrict a bunch of shell commands to root, and I also don’t need most of home-manager’s fanciness. hjem might be just the thing, I’ll look at it.

2 Likes