Sudo not working inside a buildFHSUserEnv: "no new privileges" flag

turbotimon · January 29, 2024, 10:39am

Hi there. Does anyone know how to get sudo privileges inside a fhs?

Minimal example of a buildFHSUserEnv:

# shell.nix
{ pkgs ? import <nixpkgs> {} }:
(pkgs.buildFHSUserEnv {
  name = "example";
  targetPkgs = pkgs: (with pkgs; [ libgcc ]);
  runScript = "bash";
}).env

Start with nix-shell. But sudo is disabled:

$ sudo
sudo: The "no new privileges" flag is set, which prevents sudo from running as root.
sudo: If sudo is running in a container, you may need to adjust the container configuration to disable the flag.

Any help welcome, thanks!

johanno · June 3, 2024, 7:59pm

I would love to know this too.
since I want to get a deb file running that has binaries that need root.

johanno · June 3, 2024, 8:10pm

https://ryantm.github.io/nixpkgs/builders/special/fhs-environments/

It seems that FHSEnv will not by design be able to allow root.

You just can’t do it.

Or I am missing sth.

turbotimon · June 4, 2024, 8:25am

I’m also still looking for a solution. But I just found this workaround, however I did not tried it out yet.

Some other links that may help and I need to have a closer look at when i find time to do so:

NixOS setuid wrapper prevent running sudo in user namespace · Issue #42117 · NixOS/nixpkgs · GitHub (from where the workaround is)
SUID wrappers do not work in buildFHSUserenv.env · Issue #69338 · NixOS/nixpkgs · GitHub
buildFHSUserEnv: Create a setuid wrapper · Issue #21387 · NixOS/nixpkgs · GitHub

Atemu · June 4, 2024, 1:10pm

The only attainable “proper” way out I can think of is to use polkit to elevate privileges. The new systemd 256 actually has a tool precisely for that purpose which you might want check out or build yourself atop of systemd-run.

github.com/NixOS/nixpkgs

SUID wrappers do not work in buildFHSUserenv.env

opened 06:29AM - 24 Sep 19 UTC

JohnAZoidberg

0.kind: bug

**Describe the bug** Running `sudo` inside the environment of `buildFHSUserenv.…env` does not work. **To Reproduce** Steps to reproduce the behavior: 1. Create `shell.nix` with ``` { pkgs ? import <nixpkgs> {} }: (pkgs.buildFHSUserEnv { name = "sudo-env"; targetPkgs = pkgs: with pkgs; [ sudo ]; runScript = "bash"; }).env ``` 2. Run `nix-shell` 3. Run `sudo whoami` **Expected behavior** `sudo whoami` should print `root` **Actual behaviour** ``` $ sudo whoami sudo: /nix/store/v6l2sacryfr88yqq0pq7sia8wfgm9q31-wrapper.c:203: main: Assertion `!(st.st_mode & S_ISUID) || (st.st_uid == geteuid())' failed. Aborted ``` **Additional context** I think this is caused by the owner of `sudo` being `nobody:nogroup`: ``` # Inside FHS env $ ls -l /run/wrappers/bin/sudo -r-s--x--x 1 nobody nogroup 17704 Sep 22 13:08 /run/wrappers/bin/sudo # Outside FHS env $ ls -l /run/wrappers/bin/sudo -r-s--x--x 1 root root 17704 Sep 22 15:08 /run/wrappers/bin/sudo ``` **Metadata** - system: `"x86_64-linux"` - host os: `Linux 5.3.0, NixOS, 20.03pre193781.d484f2b7fc0 (Markhor)` - multi-user?: `yes` - sandbox: `no` - version: `nix-env (Nix) 2.3` - nixpkgs: `/nix/store/2p5njn4s0i93s9i8pwg276ibb15ynpyn-foo` which is this unstable channel `nixos-20.03pre193781.d484f2b7fc0` Maintainer information: ```yaml # a list of nixpkgs attributes affected by the problem attribute: buildFHSUserEnv ``` cc @abbradar