Self-built custom LXC/Incus container image suddenly has 777 permissions for /

[heini]

Hi,

two weeks ago, I created customized NixOS 24.05 images for Incus, following https://wiki.nixos.org/wiki/Incus#Custom_Images. These images worked fine out of the box.

Yesterday, I created another set, for both 24.05 and 24.11, and found that I could not login to instances launched from these images via SSH. The reason for this was the the root filesystem has 777 permissions instead of 755, which made sshd complain and reject any login attempt.

# incus shell test

[root@nixos:~]# ll -a /
total 4
drwxrwxrwx   1 root   root     98 Dec  1 18:25 .       # <-- These permissions are wrong
drwxrwxrwx   1 root   root     98 Dec  1 18:25 ..
drwxr-xr-x   1 root   root      4 Dec  1 18:25 bin
drwxr-xr-x   9 root   root    520 Dec  1 18:25 dev
drwxr-xr-x   1 root   root    772 Dec  1 18:25 etc
drwxr-xr-x   1 root   root      0 Dec  1 18:25 home
drwxr-xr-x   1 root   root      0 Dec  1 18:25 mnt
drwxr-xr-x   1 root   root     16 Dec  1 18:25 nix
dr-xr-xr-x 270 nobody nogroup   0 Dec  1 18:25 proc
drwx------   1 root   root     50 Dec  1 18:25 root
drwxr-xr-x  16 root   root    420 Dec  1 18:25 run
drwxr-xr-x   1 root   root      8 Dec  1 18:25 sbin
drwxr-xr-x   1 root   root      0 Dec  1 18:25 srv
dr-xr-xr-x  13 nobody nogroup   0 Nov 30 20:36 sys
drwxrwxrwt   1 root   root    658 Dec  1 18:25 tmp
drwxr-xr-x   1 root   root      6 Dec  1 18:25 usr
drwxr-xr-x   1 root   root     82 Dec  1 18:25 var

NOTE: The image configuration didn't change between the two attempts, except for running nix flake update since the first (successful) image creation.

BTW, while we're at it: On said wiki page...

1. The second example for "all in one command", which should be the one for container images, just repeats the one for VMs.
2. In the commands, the .#nixosConfigurations... parts should be quoted, like '.#nixosConfigurations...', since otherwise the shell tries to interpret them.