Bootstrap: make-btrfs-fs: Fix filesystem permissions

Fakeroot was not taking effect, resulting in all files being owned by UID 1000 and GID 100. Use unshare to enter a user namespace with the user mapped as root such that the files loaded into the btrfs filesystem are owned by the root user and thus fixing multiple boot issues related to permissions and security. Namely, systemd-tmpfiles refuses to operate on a number of paths and sshd refuses to accept pubkeys due to insecure permissions in path. The nix-store also would be editable by UID 1000, and maybe members of GID 100. The nix-daemon eventually cleans this up, but should never be this way.
nakato · Sep 12, 2024 · 30f9529 · 30f9529
1 parent e0c4d12
commit 30f9529
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/modules/sbc/bootstrap/make-btrfs-fs.nix b/modules/sbc/bootstrap/make-btrfs-fs.nix
@@ -16,7 +16,7 @@
 , uuid ? "44444444-4444-4444-8888-888888888888"
 , btrfs-progs
 , libfaketime
-, fakeroot
+, util-linux
 , subvolMap ? {}
 }:
 
@@ -26,7 +26,7 @@ in
 pkgs.stdenv.mkDerivation {
   name = "btrfs-fs.img${lib.optionalString compressImage ".zst"}";
 
-  nativeBuildInputs = [ btrfs-progs libfaketime fakeroot ] ++ lib.optional compressImage zstd;
+  nativeBuildInputs = [ btrfs-progs libfaketime util-linux ] ++ lib.optional compressImage zstd;
 
   buildCommand =
     let
@@ -73,7 +73,7 @@ pkgs.stdenv.mkDerivation {
       ${subvolMovePaths}
 
       touch $img
-      faketime -f "1970-01-01 00:00:01" fakeroot mkfs.btrfs -L ${volumeLabel} -U ${uuid} ${subvolMkfsArgs} -r ./rootImage --shrink $img
+      faketime -f "1970-01-01 00:00:01" unshare -U -r mkfs.btrfs -L ${volumeLabel} -U ${uuid} ${subvolMkfsArgs} -r ./rootImage --shrink $img
 
       if ! btrfs check $img; then
         echo "--- 'btrfs check' failed for BTRFS image ---"