This was already said in the thread twice, but to be absolutely clear, yes, it’s impossible to use sudo within *.fhs for security reasons.
The workarounds were already provided as well.
1 Like
There’s the official wiki and the nixos-rebuild manual page (sorta).
1 Like
Non-FHS should support that as well.
For now I assume that you could just change.
1 Like
I don’t really understand the reluctance to consider this an actual issue. I’m fairly new to NixOS, but looking at the documentation for buildFHSEnv the goal doesn’t seem to be security or strong isolation but the ability to run applications which don’t natively support NixOS.
https://ryantm.github.io/nixpkgs/builders/special/fhs-environments/#sec-fhs-environments
It works similar to containerisation technology such as Docker or FlatPak but provides no security-relevant separation from the host system.
This is not an official documentation site; you should only be looking at docs from nixos.org or nix.dev - in this case https://nixos.org/manual/nixpkgs/unstable/#sec-fhs-environments.
Anyway it’s explained more clearly in buildFHSEnv: binaries with capabilities cannot make use of them · Issue #217119 · NixOS/nixpkgs · GitHub.
Ultimately you are better off just using the regular vscode. I don’t really understand the copy-pasted desire to use vscode-fhs other than “someone else did so I must too.”
This is not an official documentation site; you should only be looking at docs from nixos.org or nix.dev - in this case Nixpkgs Reference Manual.
I don’t know what point you are trying to make, the text is exactly the same. I just quoted the docs that someone else did in this thread.
Ultimately you are better off just using the regular vscode. I don’t really understand the copy-pasted desire to use vscode-fhs other than “someone else did so I must too.”
The reasoning being entire workflows aren’t supported by it. What is the point of using an application when most of its capability won’t work without an ever increasing number of overrides and configuration hacks. We already have tools and workflows for working with/in vscode, and if Nix can’t support then its on Nix.
The point is to stick to using official manuals instead of 2-year outdated sites.
If you need to run sudo and insist on using vscode-fhs, run it outside the fhs. We’re not going to fork the kernel and open a security hole just for this edge case. It’s that simple.
btw, buildFHSEnv is also a hack, so is the entirety of nix and NixOS, it’s just a matter of taste, maintainability, and security as to which hacks are tolerable.
It sounds like less a matter of taste and more-so inflexibility and platform incompetence. I don’t see the point of reproducibility when whole standard workflows aren’t supported. No one’s asking anyone to fork the kernel or introduce security vulnerabilities, just to simply treat this an actual issue and not “you’re doing it wrong”. I think this really shows the downsides of Nix, the Nix community, and I’m realizing its not the developer friendly OS I expected.
1 Like
It’s a kernel limitation, as mentioned in the link I posted earlier and the quote I mentioned. I think it’s well-explained how you are basically asking for a security hole, and standard-for-you != standard. Though if you have a better solution to propose do so, it’s open source after all. But if you are just asking for everyone else to drop things and work on your problem for free, I think you will find limited success with that approach in any open-source community, especially after hurling insults 
It doesn’t for extensions
Using and syncing extensions using VSCode alone and without nixification
Some environment wouldn’t work with nix (including VSCode web)
However, I understand the security implications of making sudo work from within a sandboxed .fhs package and the tradeoff using .fhs implies
I use sync and assumed I needed the fhs edition. I swapped yesterday and the extensions were there, working on non-fhs one. I added a new one while on my windows work laptop. I’ll boot my personal up in a bit to check the changes.
2 Likes
I also have been told that extensions wouldn’t work without .fhs but I just tested and indeed, the non-fhs version also was able to install and sync extensions too
Then, I do not know any benefit of vscode.fhs compared to vscode
1 Like