Verify this if $HOME exists, it is owned by current user in getHome()

[virusdave]

Useful because a default sudo on darwin doesn't clear $HOME, so things like sudo nix-channel --list
will surprisingly return the USER'S channels, rather than root's.

Other counterintuitive outcomes can be seen in this PR description:
#6622

[thufschmitt]

I don't think this is a good idea. Having sudo not reset $HOME is intentional (although annoying in your case), but being able to override $HOME is definitely a feature (nix's own testsuite uses that extensively for instance).

Probably the second option from #6622 (comment) would make more sense (although it could be very confusing in some cases)

[virusdave]

Probably the second option from #6622 (comment) would make more sense (although it could be very confusing in some cases)

OK, this seems fair enough. I'll give that a shot since 6622 seems to have stalled a bit.

[virusdave]

Before:

dave @ davembp [/tmp]
$ nix-shell -p nix

dave @ davembp [nix-shell:/tmp]
$ nix-channel --list
darwin https://github.com/LnL7/nix-darwin/archive/master.tar.gz
nixpkgs https://nixos.org/channels/nixpkgs-unstable

dave @ davembp [nix-shell:/tmp]
$ sudo nix-channel --list
darwin https://github.com/LnL7/nix-darwin/archive/master.tar.gz
nixpkgs https://nixos.org/channels/nixpkgs-unstable

dave @ davembp [nix-shell:/tmp]
$ sudo -H nix-channel --list
nixos-22.05 https://nixos.org/channels/nixos-22.05
nixpkgs https://nixos.org/channels/nixos-22.05
nixpkgs-unstable https://nixos.org/channels/nixpkgs-unstable

After:

dave @ davembp [/tmp]
$ nix-shell -p 'with pkgs; nix.overrideAttrs (self: super: {patches = fetchpatch {url="https://github.com/virusdave/nix/commit/33ceafc0fc376d6bf07c1739bab24d95a6a9f27a.patch"; sha256="sha256-bD3f2jxoSlUjm5+YvUpmy8rw4JZuJ9UldyZ5D6gj6+w=";};})'

dave @ davembp [nix-shell:/tmp]
$ nix-channel --list
darwin https://github.com/LnL7/nix-darwin/archive/master.tar.gz
nixpkgs https://nixos.org/channels/nixpkgs-unstable

dave @ davembp [nix-shell:/tmp]
$ sudo nix-channel --list
nixos-22.05 https://nixos.org/channels/nixos-22.05
nixpkgs https://nixos.org/channels/nixos-22.05
nixpkgs-unstable https://nixos.org/channels/nixpkgs-unstable

dave @ davembp [nix-shell:/tmp]
$ sudo -H nix-channel --list
nixos-22.05 https://nixos.org/channels/nixos-22.05
nixpkgs https://nixos.org/channels/nixos-22.05
nixpkgs-unstable https://nixos.org/channels/nixpkgs-unstable

[thufschmitt]

Thanks. A couple of comments, but I like the overall approach :)

[virusdave]

Updated PR based on @thufschmitt 's review.

Now:

dave @ davembp [nix-shell:/tmp]
$ nix-channel --list
darwin https://github.com/LnL7/nix-darwin/archive/master.tar.gz
nixpkgs https://nixos.org/channels/nixpkgs-unstable

dave @ davembp [nix-shell:/tmp]
$ sudo nix-channel --list
warning: $HOME ('/Users/dave') is not owned by you, falling back to the one defined in the 'passwd' file
nixos-22.05 https://nixos.org/channels/nixos-22.05
nixpkgs https://nixos.org/channels/nixos-22.05
nixpkgs-unstable https://nixos.org/channels/nixpkgs-unstable

dave @ davembp [nix-shell:/tmp]
$ sudo -H nix-channel --list
nixos-22.05 https://nixos.org/channels/nixos-22.05
nixpkgs https://nixos.org/channels/nixos-22.05
nixpkgs-unstable https://nixos.org/channels/nixpkgs-unstable

[mkenigs]

Thanks for fixing this @virusdave

I think this approach feels pretty complex and non-obvious. This will make the behavior of nix depend on:

1. $HOME
2. Whether $HOME exists
3. Permissions of $HOME
4. /etc/passwd

That's a lot of conditionals based on the environment, which doesn't feel like it's really in the spirit of reproducibility. I don't know that there's a clean way to do it, but I wonder if even something like --home would be better? That said, I do appreciate that this makes the sudo behavior less silently confusing

[thufschmitt]

That's a lot of conditionals based on the environment, which doesn't feel like it's really in the spirit of reproducibility

That's UNIX systems for you 😛

Fwiw, as far as reproducibility goes, this only holds for the “impure” eval mode, as the only way the pure mode will use $HOME is as a cache. And the impure mode is… well, impure, so that's an acceptable tradeof 🙃

[thufschmitt]

Thanks @virusdave , let's merge

[dhess]

As a result of this change, on NixOS, any systemd process whose home is /var/empty and spawns a nix process spams the journal with:

warning: $HOME ('/var/empty') is not owned by you, falling back to the one defined in the 'passwd' file

which, for processes that run a lot of nix commands relative to the number of lines in their output, makes the logs quite a bit harder to read and significantly increases the log storage used.

[virusdave]

Oof, that's definitely not desirable. Out of curiosity, what is the /etc/passwd specified homedir for those systemd processes? Is it also /var/empty? If so, a simple anti-spamming measure would be to not print this message if the effect is a no-op. In fact, that might just make sense to do anyway.

[dhess]

Yes, it's /var/empty in the passwd file. I believe that's what happens by default on NixOS if you don't explicitly set a user's homedir.

[virusdave]

Yes, it's /var/empty in the passwd file. I believe that's what happens by default on NixOS if you don't explicitly set a user's homedir.

OK, i'll whip up a followup PR to make that change. Thanks for letting me know!

[dhess]

Thanks. In the meantime, I can downgrade the Nix we're using in the problematic systemd service. Do you happen to know which release of Nix this change went out with? (edit: Looks like 2.10.0?)

[virusdave]

Thanks. In the meantime, I can downgrade the Nix we're using in the problematic systemd service. Do you happen to know which release of Nix this change went out with? (edit: Looks like 2.10.0?)

Sure. You could also patch this PR into nix in an overlay if you don't want to go backwards (assuming the tests pass).