Provide SHELL for sudo -s invocation of activation script#3040
Merged
rycee merged 2 commits intonix-community:masterfrom Sep 19, 2022
Merged
Provide SHELL for sudo -s invocation of activation script#3040rycee merged 2 commits intonix-community:masterfrom
rycee merged 2 commits intonix-community:masterfrom
Conversation
rycee
reviewed
Jun 19, 2022
Member
|
LGTM but I think some nix-darwin users should give it a try before merging. I only have a minor comments about the commit message, could you make the first line a bit shorter? I think something like
should suffice since the rest of the excellent commit message explains things quite clearly. Also "Home-Manager" should be "Home Manager". About using bash for the activation script, this is an absolute requirement. We use quite a few bash specific features in the activation script. The |
toonn
added a commit
to toonn/home-manager
that referenced
this pull request
Jun 20, 2022
In nix-community#587, kalbasit introduce the `-i` flag so the sudo invocation would run in an environment with `HOME` set to the correct value for the target user. This was necessary to be able to set up multiple users without interfering with the invoking user's `HOME`. In nix-community#807, I switched to `-s` instead because I managed to get an invalid shell set for my user by switching `useUserPackages` from `true` to `false` which changes the location where packages are installed and `~/.nix-profile/bin/<my-shell>` was no longer valid. This was based on the assumption that `SHELL` would be set to some sensible value by Home Manager at this point. This turned out to be false as reported in nix-community#2900. In 0ced6d6 (this commit's parent at this time), I explicitly set `SHELL` to `${pkgs.bash}` so it is definitely set to a good shell when invoking the activation script. However, nix-community#807 broke activation for multiple users, the original motivation for `-i`, as reported in nix-community#2856. I fixed this in nix-community#2857 by additionally passing `--set-home`. Further discussion with rycee in nix-community#3040 made me realize that the activation script already has a good Nix store bash shebang. So all the problems have been caused, not by the shell used for the activation script but by sudo trying to use a different shell at all. `-i` uses the shell set in the `passwd` file for the target user, but this can become invalid as happened to me. `-s` uses either `SHELL` if it's defined or the invoking user's shell as set in the `passwd` file. By explicitly setting this to a shell provided by Nix we make sure we're not trying to launch a non-existent shell. However, we're clearly already running in an existing shell and because of `--set-home` we can activate other users properly so there's not actually any need to try to have sudo start a different shell first, it just adds an extra process that then goes on to run the activation script with a good bash because of the shebang. Dropping `-s` altogether and keeping `--set-home` should avoid all of these issues.
Contributor
Author
|
@rycee, thanks for the rubber ducking, you made me realize that both I would indeed welcome ample testing because I've made a mess of things trying to conserve the wrong part of |
|
Thank you for your contribution! I marked this pull request as stale due to inactivity. Please read the relevant sections below before commenting. If you are the original author of the PR
If you are not the original author of the PR
|
Contributor
Author
|
As far as I'm concerned this is ready for merge. I have no way to test this because I can't reproduce the issue from #2900 but I'm fairly confident this is the proper fix. |
In nix-community#807 I changed the flag passed to `sudo` from `-i` to `-s` so `sudo` wouldn't use a non-existent shell defined in the `passwd` file. kalbasit also reported in that PR that `-i` didn't work for them anymore on an M1 Mac, presumably because Apple changed something in newer versions of macOS. Some users reported that this broke the behavior for them because `SHELL` was set to a path that didn't even exist on their system. It's unclear how this came to be but it shows that my assumption that `SHELL` would be set to a reasonable shell by Home Manager at this point in the activation is false. As a way around this problem we can explicitly set `SHELL` when running the activation script to a value that we know will be good, like `${pkgs.bash}`. One change in behavior this causes is that the activation script will always be run by bash, not the user's shell. If the script is generated by Home Manager this is fine since it can be generated taking into account the supported set of functions and behaviors. If the intent is for the activation script to possibly be run by non-bash and even non-POSIX shells, like tcsh, ksh or Xonsh, then this fix will not suffice. Turns out this is indeed an assumption made by Home Manager, so this is the proper behavior. Fixes nix-community#2900
In nix-community#587, kalbasit introduce the `-i` flag so the sudo invocation would run in an environment with `HOME` set to the correct value for the target user. This was necessary to be able to set up multiple users without interfering with the invoking user's `HOME`. In nix-community#807, I switched to `-s` instead because I managed to get an invalid shell set for my user by switching `useUserPackages` from `true` to `false` which changes the location where packages are installed and `~/.nix-profile/bin/<my-shell>` was no longer valid. This was based on the assumption that `SHELL` would be set to some sensible value by Home Manager at this point. This turned out to be false as reported in nix-community#2900. In 0ced6d6 (this commit's parent at this time), I explicitly set `SHELL` to `${pkgs.bash}` so it is definitely set to a good shell when invoking the activation script. However, nix-community#807 broke activation for multiple users, the original motivation for `-i`, as reported in nix-community#2856. I fixed this in nix-community#2857 by additionally passing `--set-home`. Further discussion with rycee in nix-community#3040 made me realize that the activation script already has a good Nix store bash shebang. So all the problems have been caused, not by the shell used for the activation script but by sudo trying to use a different shell at all. `-i` uses the shell set in the `passwd` file for the target user, but this can become invalid as happened to me. `-s` uses either `SHELL` if it's defined or the invoking user's shell as set in the `passwd` file. By explicitly setting this to a shell provided by Nix we make sure we're not trying to launch a non-existent shell. However, we're clearly already running in an existing shell and because of `--set-home` we can activate other users properly so there's not actually any need to try to have sudo start a different shell first, it just adds an extra process that then goes on to run the activation script with a good bash because of the shebang. Dropping `-s` altogether and keeping `--set-home` should avoid all of these issues.
rycee
force-pushed
the
sudo-s-activate
branch
from
bb82afb to
9555918
Compare
Member
|
Yeah, I think enough time has passed. I've merged to master now and we'll see if that produces any additional feedback. Thanks a lot for the fixing! |
austinharris
pushed a commit
to austinharris/home-manager
that referenced
this pull request
Dec 23, 2022
In nix-community#587, kalbasit introduce the `-i` flag so the sudo invocation would run in an environment with `HOME` set to the correct value for the target user. This was necessary to be able to set up multiple users without interfering with the invoking user's `HOME`. In nix-community#807, I switched to `-s` instead because I managed to get an invalid shell set for my user by switching `useUserPackages` from `true` to `false` which changes the location where packages are installed and `~/.nix-profile/bin/<my-shell>` was no longer valid. This was based on the assumption that `SHELL` would be set to some sensible value by Home Manager at this point. This turned out to be false as reported in nix-community#2900. In 0ced6d6 (this commit's parent at this time), I explicitly set `SHELL` to `${pkgs.bash}` so it is definitely set to a good shell when invoking the activation script. However, nix-community#807 broke activation for multiple users, the original motivation for `-i`, as reported in nix-community#2856. I fixed this in nix-community#2857 by additionally passing `--set-home`. Further discussion with rycee in nix-community#3040 made me realize that the activation script already has a good Nix store bash shebang. So all the problems have been caused, not by the shell used for the activation script but by sudo trying to use a different shell at all. `-i` uses the shell set in the `passwd` file for the target user, but this can become invalid as happened to me. `-s` uses either `SHELL` if it's defined or the invoking user's shell as set in the `passwd` file. By explicitly setting this to a shell provided by Nix we make sure we're not trying to launch a non-existent shell. However, we're clearly already running in an existing shell and because of `--set-home` we can activate other users properly so there's not actually any need to try to have sudo start a different shell first, it just adds an extra process that then goes on to run the activation script with a good bash because of the shebang. Dropping `-s` altogether and keeping `--set-home` should avoid all of these issues.
spacekookie
pushed a commit
to spacekookie/home-manager
that referenced
this pull request
Feb 10, 2023
In nix-community#587, kalbasit introduce the `-i` flag so the sudo invocation would run in an environment with `HOME` set to the correct value for the target user. This was necessary to be able to set up multiple users without interfering with the invoking user's `HOME`. In nix-community#807, I switched to `-s` instead because I managed to get an invalid shell set for my user by switching `useUserPackages` from `true` to `false` which changes the location where packages are installed and `~/.nix-profile/bin/<my-shell>` was no longer valid. This was based on the assumption that `SHELL` would be set to some sensible value by Home Manager at this point. This turned out to be false as reported in nix-community#2900. In 0ced6d6 (this commit's parent at this time), I explicitly set `SHELL` to `${pkgs.bash}` so it is definitely set to a good shell when invoking the activation script. However, nix-community#807 broke activation for multiple users, the original motivation for `-i`, as reported in nix-community#2856. I fixed this in nix-community#2857 by additionally passing `--set-home`. Further discussion with rycee in nix-community#3040 made me realize that the activation script already has a good Nix store bash shebang. So all the problems have been caused, not by the shell used for the activation script but by sudo trying to use a different shell at all. `-i` uses the shell set in the `passwd` file for the target user, but this can become invalid as happened to me. `-s` uses either `SHELL` if it's defined or the invoking user's shell as set in the `passwd` file. By explicitly setting this to a shell provided by Nix we make sure we're not trying to launch a non-existent shell. However, we're clearly already running in an existing shell and because of `--set-home` we can activate other users properly so there's not actually any need to try to have sudo start a different shell first, it just adds an extra process that then goes on to run the activation script with a good bash because of the shebang. Dropping `-s` altogether and keeping `--set-home` should avoid all of these issues.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
In #807 I changed the flag passed to
sudofrom-ito-ssosudowouldn't use a non-existent shell defined in the
passwdfile. kalbasitalso reported in that PR that
-ididn't work for them anymore on an M1Mac, presumably because Apple changed something in newer versions of
macOS.
Some users reported that this broke the behavior for them because
SHELLwas set to a path that didn't even exist on their system. It'sunclear how this came to be but it shows that my assumption that
SHELLwould be set to a reasonable shell by Home-Manager at this point in the
activation is false.
As a way around this problem we can explicitly set
SHELLwhen runningthe activation script to a value that we know will be good, like
${pkgs.bash}.One change in behavior this causes is that the activation script will
always be run by bash, not the user's shell. If the script is generated
by Home-Manager this is fine since it can be generated taking into
account the supported set of functions and behaviors. If the intent is
for the activation script to possibly be run by non-bash and even
non-POSIX shells, like tcsh, ksh or Xonsh, then this fix will not
suffice.
Fixes #2900
Note: I'm not sure how to test this properly, advice appreciated.
Checklist
Change is backwards compatible.
[] Code formatted with
./format.Couldn't do this because of a hash mismatch:
(use '--show-trace' to show detailed location information)
```
Code tested through
nix-shell --pure tests -A run.all.Test cases updated/added. See example.
Commit messages are formatted like
See CONTRIBUTING for more information and recent commit messages for examples.
If this PR adds a new module
Added myself as module maintainer. See example.
Added myself and the module files to
.github/CODEOWNERS.