git 2.35.2 breaks nixos-rebuild with flake repo owned by non-root user

[NickCao]

Describe the bug

After upgrading to git 2.35.2 (which is the version currently in nixos-unstable-small), running sudo nixos-rebuild switch with a flake repo owned by non-root user would result in a cryptic error message saying

warning: Not a git repository. Use --no-index to compare two paths outside a working tree
usage: git diff --no-index [<options>] <path> <path>
...... (the full git diff help)
error: program 'git' failed with exit code 129
(use '--show-trace' to show detailed location information)

The underlying reason is that due to the fix for CVE-2022-24765, git now effectively treats any directory not owned by the calling user as not a git repo. A temporary workaround would be to add the repo to safe.directory entry of the root user's git config. A possible long term fix is to only use sudo or others means for privilege elevation when absolutely required in nixos-rebuild.

Notify maintainers

@Profpatsch

Metadata

 - system: `"x86_64-linux"`
 - host os: `Linux 5.17.3, NixOS, 22.05 (Quokka), 22.05.20220418.f26866c`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.8.0pre20220411_f7276bc`
 - nixpkgs: `/nix/store/xy6wkddgna3rsmqkb53120x8lpf1pbvr-source`

[andrevmatos]

This also breaks sudo nixos-container --flake for the same reason

[izik1]

Note: An extra hacky work around if you can't modify root's gitconfig (say, because you'd need to use this same flake to do so) is to chown the directory to root, do your temp fix, and chown it back 🤣 (I wouldn't recommend doing that unless you have to and know what you're doing)

[hqurve]

Can we also build the config using unprivileged nixos-rebuild build --flake and then run sudo ./result/bin/switch-to-configuration <action>?

[SuperSandro2000]

Such a nonsense CVE 🙄 If people can drop malicious files on your filesystem you are already fucked.

[SuperSandro2000]

Workaround to get your machines updated

$ sudo git config --global --add safe.directory /etc/nixos

[NickCao]

Just found out that nixos-rebuild has a --use-remote-sudo flag, which does exactly my second solution.

[SuperSandro2000]

I am questioning myself: Why is this not the default? Sounds like it should be to me.

[nixos-discourse]

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/sudo-nixos-rebuild-switch-not-a-git-repository/18763/2

[Artturin]

lets keep this open until something is done so this works by default

[matklad]

(not sure if its worth opening an issue about)

For extra dwim, it'd be cool if --use-remote-sudo just worked for those of us who use doas rather than sudo.

[TLATER]

To spell out @NickCao 's work-around, you can use nixos-rebuild --use-remote-sudo for your local system as well, which is both ingenious and a bit silly (and will from now on be how I invoke nixos-rebuild in general).

[wiltaylor]

@hqurve this seems like the best way to fix this moving forward.

[Sciencentistguy]

Is there a reason not to make --use-remote-sudo the default behaviour?

[TLATER]

Is there a reason not to make --use-remote-sudo the default behaviour?

Having the toggle is desirable for systems where you don't have sudo, and want to hand-craft permissions with any of the non-sudo permissions management options instead. But in those cases it's not really harmful and should show a pretty obvious error message. I can't really see a reason not to invert that flag.

[ncfavier]

We should also probably replace remote-sudo with just sudo given that it applies to local builds.

[ocfox]

I found that this also works fine nix-shell -p git --run "sudo nixos-rebuild switch".

[kirillrdy]

with upgrade to nix 2.9.0, this is started happening to me again

[Artturin]

with upgrade to nix 2.9.0, this is started happening to me again

The nix bump isn't in any of the channels yet, https://nixpk.gs/pr-tracker.html?pr=175541

[LukaKon]

After upgrade nix to 2.9: warning: Not a git repository. Use --no-index to compare two paths outside a working tree
and same situation in nix-shell :)

[Radvendii]

This also affects url = "path:/foo/bar" type flake inputs when they're git repos.

[Artturin]

NixOS/nix#6636

[Artturin]

stable: #177353
unstable: #177184