Warning about $HOME ownership

refaelsh · September 18, 2024, 8:29pm

I am new to Flakes. I just migrated. I am running this:

sudo nixos-rebuild test --flake ~/repos/dotfiles/#myNixos

And I get the following warning:

warning: $HOME ('/home/refaelsh') is not owned by you, falling back to the one defined in the 'passwd' file ('/root')

Please help

TLATER · September 19, 2024, 12:00am

Nix will refuse to use the directory set by $HOME as your home directory if it’s not owned by the same user as the one executing nix (which in this case is root because you’re using sudo), because otherwise permissions of various user-specific channel/profile files in your user’s home directory could break.

AIUI, normally the sudo policy that forces it to set the home directory to the target users’ is enabled by default on NixOS, though, which should make that feature never trigger. Ultimately there’s no harm done, nix does what sudo should be doing, but I guess you’ve played around with your sudoers file?

On an unrelated note, if you use the (very poorly named) --use-remote-sudo flag instead of manually calling sudo, nix can do all the usual build things without having to run as root, and only call sudo for the actual switch. This is generally nicer and a bit more robust (though it does mean you need to wait for the build to finish to type your password).

waffle8946 · September 19, 2024, 1:08am

And the reason nix even cares about $HOME in the first place is for things like caching, reading config, storing repl history, etc.

refaelsh · September 19, 2024, 6:11am

but I guess you’ve played around with your sudoers file?

No, I did not. Not as far as I am aware atleast

Also, yesterday, before the migration to flakes, when I was doing the ususal sudo nixos-rebuild switch --upgrade, there was no such warning. Something changed and I dont know what.

refaelsh · September 20, 2024, 11:54am

After some more googling, I still cant find an answer to how make this warning go away.
But I do have a new suspicion: I think it might be because I moved my flakes from /etc/nixos to ~/repos/dotfiles.

waffle8946 · September 20, 2024, 12:04pm

Did you change the permissions on the directory and its files to your user?

refaelsh · September 20, 2024, 12:20pm

I did not do it. But, it seems to be that way all by it self:

λ ls -ld ~/repos/dotfiles/*
Permissions Size User     Date Modified Git Name
.rw-r--r--   15k refaelsh 20 Sep 14:52   --  /home/refaelsh/repos/dotfiles/configuration.nix
.rw-r--r--   10k refaelsh 20 Sep 15:17   -M  /home/refaelsh/repos/dotfiles/flake.lock
.rw-r--r--   822 refaelsh 20 Sep 07:12   --  /home/refaelsh/repos/dotfiles/flake.nix
.rw-r--r--  1.6k refaelsh 19 Sep 20:10   --  /home/refaelsh/repos/dotfiles/hardware-configuration.nix
.rw-r--r--   21k refaelsh 18 Sep 23:24   --  /home/refaelsh/repos/dotfiles/home.nix
drwxr-xr-x     - refaelsh 18 Sep 23:46   --  /home/refaelsh/repos/dotfiles/misc
drwxr-xr-x     - refaelsh 19 Sep 22:17   --  /home/refaelsh/repos/dotfiles/nixvim
.rw-r--r--   415 refaelsh 18 Sep 23:51   --  /home/refaelsh/repos/dotfiles/README.md

TLATER · September 20, 2024, 1:09pm

That’s not it, my dotfiles are in $HOME too, and I know many others have them there.

If you use sudo -H explicitly the warning should go away.

refaelsh · September 20, 2024, 1:35pm

Running with sudo -H does help, also sudo -i helps too.
But it feels like a hack. Something is wrong and I want to know what.

TLATER · September 20, 2024, 1:45pm

That’s the equivalent of -H. -i does more than just that.

I suspect you somehow configured sudo not to do this inadvertently. Do you have your config somewhere online?

refaelsh · September 20, 2024, 2:03pm

Do you have your config somewhere online?

Sure. Gladly. Its here: https://github.com/refaelsh/dotfiles.

waffle8946 · September 20, 2024, 3:00pm

So there is some sudo config here:

github.com

refaelsh/dotfiles/blob/48696ba9ede5b1ebb0eb2b2ebae0bcf435dffa4b/configuration.nix#L66-L79


      
          sudo = {
            extraConfig = "Defaults env_keep += \"HOME\"";
            extraRules = [
              {
                users = [ "refaelsh" ];
                commands = [
                  {
                    command = "ALL";
                    options = [ "NOPASSWD" ];
                  }
                ];
              }
            ];
          };

What were you intending to do with this config?

TLATER · September 20, 2024, 3:44pm

And to be clear, that line does exactly what I expected, it changes your sudoers file to make sudo persist $HOME, which causes nix to print that warning.

Again, it’s not harmful per-se, but it will mess with your users’ files when you call sudo and run certain commands that lack this safety feature nix has, which is why most distros - including NixOS - disable this by default.

refaelsh · September 21, 2024, 4:55pm

What were you intending to do with this config?

No idea. This line has been there for years. I dont remember.

refaelsh · September 21, 2024, 4:56pm

Then, you think I should delete this line completely from my config?

TLATER · September 21, 2024, 8:00pm

Probably, you also should think hard about whether you really want NOPASSWD for all commands (or even any). It makes your user effectively root for security purposes, which isn’t exactly great.

refaelsh · September 21, 2024, 8:14pm

I understand. Thank you very much. I removed this line and the warning went away.

P.S.

you also should think hard about whether you really want NOPASSWD

Yes, I am aware of the implications.