I’m using getfleek.dev (which uses nix and home-manager under the hood) to manage my packages on my OSX Ventura host. The security team pinged me because they have been alerted on their security systems that:
/nix/var/nix/profiles/default/bin/nix-daemon attempted to stop or kill the Background Task Management Agent, possibly to establish persistence without user notification.
And every time I interact with fleek to install/uninstall/update nix packages it seems it raises those security alerts.
I’m trying to make nix to be approved by the security team in my company but in the meantime… can this behaviour be disabled somehow or at least, can it be documented? I’ve seen nix-daemon - Nix Reference Manual but it basically says nothing.
Seeing the same thing here. I’m poking around in the nix codebases on github, but not finding much to explain why it would be sending signals to an OS X managed process like the background task mgmt agent.
What does nix-info -m show? Does getfleek.dev enable the sandbox by default?
If sandboxing is enabled, I suspect what’s happening is the sandbox preventing the agent from running. Run Console.app while building something and check for any sandbox errors related to BackgroundTaskManagementAgent.
We are also seeing this come up in CrowdStrike repeatedly for our Nix users. Would love this to get some more attention so we can understand exactly what is happening.
I’m not particularly familiar with what these systems or the BackgroundTaskManagementAgent are doing, but:
The manpage for it describes it as a per-user agent that manages notifications of background tasks.
nix-daemon manages a collection of build users, and one of the last steps in any build is to kill any remaining processes running under the build user:
If macOS is forcing the BTMA to run under Nix’s service users, it is going to get killed.
(In the longer run there’s some prospect of replacing build users with the experimental auto-uid-allocation feature, but I believe the detsys installer tried using this by default and ended up having to disable it for both macOS and Linux due to some problems, I think with ~nameless UIDs.)
Oh that’s interesting – I’m glad you shared that hypothesis @abathur. Even if it’s not entirely true, it has helped me to better understand how the nix-daemon interacts with processes.
On my machine at least, I can confirm that the BackgroundManagementTaskAgent is being managed by launchd, but the process is owned by my user. How could I check which build user nix uses to spawn processes for build users ?
It’ll use one of the nixbldN users. (On macOS, these are prefixed with _.)
I think if you invoke with -vvv it’ll log the build user or maybe its UID (fair warning, this will be quite a bit of output…)
I don’t think that’ll divulge exactly what’s getting killed. That might be visible in Console.app if macOS logs it, and otherwise you might be able to run something like ps -f -G 30000 (where 30000 is typically the GID for the nixbld users) during a build.
@minWi Have you found anything new regarding this?
I have been getting the same issue preventing me from using NIX on my work MacBook as it triggers a security alert due to attempts to kill the background services needed by our IT team.
I hope that there is a way to exclude specific background services from being killed.
