You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
For some reason installing via nix-env puts the action file into ~/.nix-profile/share/polkit-1/actions/...
This directory doesn't appear to be scanned by polkit which prevents the action file from being used. The only directory that does get scanned is the /run/current-system/sw/share/polkit-1/actions/...
The text was updated successfully, but these errors were encountered:
Yea that seems right, allowing users to nix-env install things, everything must be unprivileged, allowing the usage of such polkit files in nix-env means the users can make use of pkexec to elevate to root when executing anything.
However in non-package manager use cases, installing such a package with make install would require super user privileges to install the action policy file into /usr/share/polkit-1/actions. Therefore nix-env could make use of such a fact, and instead suggest the user to install using sudo nix-env if the package has a polkit policy file. This would prevent such a security hole, since the user must be root to be able to install such a package. Such suggestions could be encoded in the nix expression file.
Which brings up the next question, would installing via sudo nix-env setup the polkit policy files properly such that polkit will know about it?
No. nix-env modifies the default, not the system profile (when running
as root) because modifying the system profile requires activating it.
What you'd want in this case is usually to add the package in question
to environment.systemPackages and use nixos-rebuild switch to switch to
the new generation. This results in the policy files ending up in
/run/current-system/sw/share/polkit-1/actions, providing the
security.polkit.enable option is set to true. That way the configuration
is declarative which is more consistent with "The NixOS way".
To allow nix-env as root to install polkit actions, you could probably
add /nix/var/nix/profiles/default to polkit's search path. This is a bad
idea compared to using the systemwide declarative configuration for
several reasons though:
The changes won't be picked up automatically, you would have to
restart polkit.service yourself. When using the system configuration,
this is done by the activation script.
The packages won't be updated together with the rest of the system.
This could be a security issue depending on whether you remember to run
nix-env -u as root as frequently as nixos-rebuild.
The configuration isn't declarative and there's no single source of
truth for where rules come from! This is the norm on most other
distributions of course, but who really wants a less transparent system?
So overall I recommend adding any packages whose polkit actions you want
available to systemPackages rather than using nix-env to manage them.
For some reason installing via nix-env puts the action file into ~/.nix-profile/share/polkit-1/actions/...
This directory doesn't appear to be scanned by polkit which prevents the action file from being used. The only directory that does get scanned is the /run/current-system/sw/share/polkit-1/actions/...
The text was updated successfully, but these errors were encountered: