A recent kernel update broke my system. I found a workaround by upgrading the kernel to latest (6.6.2). But, when I change the kernel version, sudo (and su for that matter) are broken. They will fail instantly without asking for password, logging that all three tries have failed for sudo.
Currently, I only see one option which would be to set my kernel version to the last working version which is 6.1.55. But I don’t know how to do it.
What could be the cause of this and how can I fix it ?
After a bit of looking around, I found that /etc/pam.d/sudo and /etc/pam.d/su were both empty after nixos-rebuild. It looks like something in the config file is wiping those files. I haven’t check for all the pam.d/* files yet. But this is definitly not normal ! For now, as a workaround, I writing the config file by hand in my configuration.nix file by copying the previous values. I’ll post an update on what I have done exactly tomorrow.
I’ll post a link to the issue I opened on github which has a fix for this bug. Even though, it is not meant to be permanent.
I’ll add that any new generation after the kernel upgrade will wipe those files, so this seems like an issue with NixOS. I highly doubt that my config file is in cause because I did not mess with sudo in any way. I’m wondering if everyone has those files in their system though, even if I’m pretty sure everyone does.
Issue : Upgrading the kernel wipes sudo and su pam.d files · Issue #270373 · NixOS/nixpkgs · GitHub
i can’t reproduce your bug.
/etc/pam.d/su /etc/pam.d/sudo are not empty.
config ?
logs ?
Having built thousands of generations over the years with workstations tracking unstable and servers on whatever is the current stable - and having built latest unstable just now, I have neither seen empty /etc/pam.d/* files nor heard anyone mention that. This is either a misconfiguration on your part or faulty hardware.
Edit : config file
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running ‘nixos-help’).
{ config, pkgs, inputs, ... }:
{
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
./pam-fix.nix
];
# Bootloader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.kernelPackages = pkgs.linuxPackages_latest;
networking.hostName = "nixos"; # Define your hostname.
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
# Configure network proxy if necessary
# networking.proxy.default = "http://user:password@proxy:port/";
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
# Enable networking
networking.networkmanager.enable = true;
# Set your time zone.
time.timeZone = "Europe/Paris";
# Select internationalisation properties.
i18n.defaultLocale = "fr_FR.UTF-8";
i18n.extraLocaleSettings = {
LC_ADDRESS = "fr_FR.UTF-8";
LC_IDENTIFICATION = "fr_FR.UTF-8";
LC_MEASUREMENT = "fr_FR.UTF-8";
LC_MONETARY = "fr_FR.UTF-8";
LC_NAME = "fr_FR.UTF-8";
LC_NUMERIC = "fr_FR.UTF-8";
LC_PAPER = "fr_FR.UTF-8";
LC_TELEPHONE = "fr_FR.UTF-8";
LC_TIME = "fr_FR.UTF-8";
};
# Enable the X11 windowing system.
services.xserver.enable = true;
# Enable the KDE Plasma Desktop Environment.
services.xserver.displayManager.sddm.enable = true;
services.xserver.desktopManager.plasma5.enable = true;
# Configure keymap in X11
services.xserver = {
layout = "fr";
xkbVariant = "";
};
# Configure console keymap
console.keyMap = "fr";
# Enable CUPS to print documents.
services.printing.enable = true;
# Enable sound with pipewire.
sound.enable = true;
hardware.pulseaudio.enable = false;
security.rtkit.enable = true;
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
# If you want to use JACK applications, uncomment this
#jack.enable = true;
# use the example session manager (no others are packaged yet so this is enabled by default,
# no need to redefine it in your config for now)
#media-session.enable = true;
};
# Enable bluetooth
hardware.bluetooth.enable = true;
hardware.bluetooth.powerOnBoot = true;
services.blueman.enable = true;
environment.etc = {
"wireplumber/bluetooth.lua.d/51-bluez-config.lua".text = ''
bluez_monitor.properties = {
["bluez5.enable-sbc-xq"] = true,
["bluez5.enable-msbc"] = true,
["bluez5.enable-hw-volume"] = true,
["bluez5.headset-roles"] = "[ hsp_hs hsp_ag hfp_hf hfp_ag ]"
}
'';
};
# Enable touchpad support (enabled default in most desktopManager).
# services.xserver.libinput.enable = true;
# Overlays
nixpkgs.overlays = [
(self: super: {
waybar = super.waybar.overrideAttrs (oldAttrs: {
mesonFlags = oldAttrs.mesonFlags ++ [ "-Dexperimental=true" ];
});
})
];
# Define a user account. Don't forget to set a password with ‘passwd’.
users.users.redcode = {
isNormalUser = true;
description = "Dan Liebault";
extraGroups = [ "networkmanager" "wheel" ];
packages = with pkgs; [
firefox
kate
];
};
# Allow unfree packages
nixpkgs.config.allowUnfree = true;
# Allow insecure
nixpkgs.config.permittedInsecurePackages = [
"python-2.7.18.6"
];
# Allow unstable
nixpkgs.config.packageOverrides = pkgs: {
unstable = import <nixos-unstable> {
config = config.nixpkgs.config;
};
};
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
# desktop/utils
hyprland
xdg-desktop-portal-gtk
xdg-desktop-portal-hyprland
swww
rofi-wayland
unstable.waybar
dunst
cliphist
wl-clipboard
wineWowPackages.waylandFull
pavucontrol # audio
# system
psmisc
# networking
networkmanagerapplet
#blueman
# apps
vscode-with-extensions
megasync
discord
darktable
# tools
kitty
git
imagemagick
];
#programs.waybar.package = inputs.hyprland.packages.${pkgs.system}.waybar-hyprland;
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.mtr.enable = true;
# programs.gnupg.agent = {
# enable = true;
# enableSSHSupport = true;
# };
programs.hyprland = {
enable = true;
nvidiaPatches = true;
xwayland = {
enable = true;
};
};
fonts.fonts = with pkgs; [
font-awesome
nerdfonts
];
xdg.portal = {
enable = true;
wlr.enable = true;
};
xdg.portal.extraPortals = with pkgs; [
xdg-desktop-portal-wlr
xdg-desktop-portal-gtk
];
environment.sessionVariables = {
NIXOS_OZONE_WL = "1";
};
# List services that you want to enable:
# Enable the OpenSSH daemon.
# services.openssh.enable = true;
# Open ports in the firewall.
# networking.firewall.allowedTCPPorts = [ ... ];
# networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
# networking.firewall.enable = false;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. It‘s perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "23.05"; # Did you read the comment?
}
you can check your hardware with tools like memtest(ram) and smartmontools(hdd).
strip your configuration.nix file to the minimum, you can use /* */ commentary and/or # ,
then re-add one config option at a time.
If your system config is done as a flake, you can also try this:
cd $where_your_config_is
nix repl
# Then inside the repl, load the flake config
:lf .
nixosConfigurations.your-host-name.config.environment.etc."pam.d/su".text
# this should give you null. If you have an empty string instead, you know something is messing with it
nixosConfigurations.your-host-name.config.environment.etc."pam.d/su".source
# this should give you a derivation - not the same path as me
«derivation /nix/store/y8zw8708p64f579kz6pfi0bfszhnl419-su.pam.drv»
# now take a look at it outside the repl
cat /nix/store/y8zw8708p64f579kz6pfi0bfszhnl419-su.pam.drv
# a look for the filename following "out" and cat that:
cat /nix/store/12wav088kp22snm01wc4pbkbfy27mfz4-su.pam
If the last file has (correct) data, it’s something to do with the activation scripts.
You are not configuring sudo, so that’s why it doesn’t work.
{
security.sudo.enable = true;
}
I already tried this before. It doesn’t resolve the issue. Besides, it was working prior the kernel upgrade without the need to explicit sudo and the problem doesn’t only comes from sudo but also from su.