I just tried looking up the roots of a nix store entry, and got this:
ubuntu@bitbop:~/nixpkgs$ nix-store --query --roots /nix/store/9g61mni2pb00npwcfack037lc7gzw4r0-xla-unstable
{censored} -> /nix/store/9g61mni2pb00npwcfack037lc7gzw4r0-xla-unstable
What is {censored} and why does nix refuse to tell me something useful here?
That’s probably a live process running under a different user. Using sudo will let you see all roots.
Huh, interesting. I was the only user logged in to the system at the time AFAIK.
Could we consider outputting something less opaque, eg
ubuntu@bitbop:~/nixpkgs$ nix-store --query --roots /nix/store/9g61mni2pb00npwcfack037lc7gzw4r0-xla-unstable
{pid 12345} -> /nix/store/9g61mni2pb00npwcfack037lc7gzw4r0-xla-unstable
I think the issue with that would be that it leaks information about which processes are reading which files.
If you don’t want to use sudo, I think the other workaround is to add your user to trusted-users in nix.conf (though the manual states that this is tantamount to giving that user root permissions, since it allows tampering with the store).
A normal linux system will have dozens of “users” running stuff to ensure appropriate permission management. “User” is a permission management concept in this context, it doesn’t refer to people.
As an example, systemd’s process will be owned by the root “user”.
Yes, I’m familiar with the concept of users in linux. My wording here was perhaps vague
I think the issue with that would be that it leaks information about which processes are reading which files.
This wouldn’t be revealing any more information than is accessible in /proc/{pid}/fd though?
If you don’t want to use
sudo, I think the other workaround is to add your user totrusted-usersinnix.conf(though the manual states that this is tantamount to giving that user root permissions, since it allows tampering with the store).
I’m already a member of trusted-users, but it still censoring for me.
That directory is not accessible to processes of other users. Additionally, some processes might only have a restricted view of /proc due to systemd hardening etc.