From 30f95296488bb0040c80537d0c67621a00b6ffff Mon Sep 17 00:00:00 2001 From: Sachi King Date: Thu, 12 Sep 2024 21:47:14 +1000 Subject: [PATCH] Bootstrap: make-btrfs-fs: Fix filesystem permissions Fakeroot was not taking effect, resulting in all files being owned by UID 1000 and GID 100. Use unshare to enter a user namespace with the user mapped as root such that the files loaded into the btrfs filesystem are owned by the root user and thus fixing multiple boot issues related to permissions and security. Namely, systemd-tmpfiles refuses to operate on a number of paths and sshd refuses to accept pubkeys due to insecure permissions in path. The nix-store also would be editable by UID 1000, and maybe members of GID 100. The nix-daemon eventually cleans this up, but should never be this way. --- modules/sbc/bootstrap/make-btrfs-fs.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/sbc/bootstrap/make-btrfs-fs.nix b/modules/sbc/bootstrap/make-btrfs-fs.nix index 6269d1d..f0ea346 100644 --- a/modules/sbc/bootstrap/make-btrfs-fs.nix +++ b/modules/sbc/bootstrap/make-btrfs-fs.nix @@ -16,7 +16,7 @@ , uuid ? "44444444-4444-4444-8888-888888888888" , btrfs-progs , libfaketime -, fakeroot +, util-linux , subvolMap ? {} }: @@ -26,7 +26,7 @@ in pkgs.stdenv.mkDerivation { name = "btrfs-fs.img${lib.optionalString compressImage ".zst"}"; - nativeBuildInputs = [ btrfs-progs libfaketime fakeroot ] ++ lib.optional compressImage zstd; + nativeBuildInputs = [ btrfs-progs libfaketime util-linux ] ++ lib.optional compressImage zstd; buildCommand = let @@ -73,7 +73,7 @@ pkgs.stdenv.mkDerivation { ${subvolMovePaths} touch $img - faketime -f "1970-01-01 00:00:01" fakeroot mkfs.btrfs -L ${volumeLabel} -U ${uuid} ${subvolMkfsArgs} -r ./rootImage --shrink $img + faketime -f "1970-01-01 00:00:01" unshare -U -r mkfs.btrfs -L ${volumeLabel} -U ${uuid} ${subvolMkfsArgs} -r ./rootImage --shrink $img if ! btrfs check $img; then echo "--- 'btrfs check' failed for BTRFS image ---"