Reading material on Nix's store and file system management

Hello,

(Brief context- I recently logged in to another distro and found that my systemd needed authentication using a username not present in my culture, turned out there was a new user created by someone) (most likely some old mirror getting hacked)

Are there any reading materials on how the NixOS’s “readonly” filesystem works? I’m not a total noob, having used Linux for almost 6 years full time but for me last year NixOS was the first time seeing a “read-only” file system. My goal with this exercise is to learn if NixOS grants any additional security to me or is the read-only thing superficial and easily bypassed.

I am pretty new to NixOS so maybe somebody will yell at me but: Yes, it’s superficial and easily by-passed.

Somebody will probably tell you that due to its declarative nature it’s easier to create a new installation from scratch to fix your problem with NixOS. This is technically true but there are usually manual steps involved, especially on non-server machines so in the end you are still doing a re-install.

1 Like

Thank you, so I tried to find out some more and it looks like sudo mount /nix/store -o remount,rw can just remount the store as read-write and do whatever “bad” things they want to do…

I’m not sure if you’re interested in the practical bits or the theoretical bits. If you are interested in the latter, then the best source of reference is IMO Eelco Dolstra’s PhD thesis, that you can find here: https://github.com/edolstra/edolstra.github.io/raw/master/pubs/phd-thesis.pdf

1 Like