light is not working withough root

[rokk4]

Issue description

Since a few days, around the 14th october, light is not working without root.
Using sudo light -S works fine.
Since #nixos didn't know any further answers, I opened this issue.

Steps to reproduce

/etc/nixos/configuration.nix
programs.light.enable = true;

Technical details

Please run nix-shell -p nix-info --run "nix-info -m" and paste the
results.

  nix-info -m

 - system: `"x86_64-linux"`
 - host os: `Linux 4.18.13, NixOS, 19.03pre155123.32bcd72bf28 (Koi)`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.1.3`
 - channels(rokka): `"nixpkgs-19.03pre151875.7c1b85cf6de"`
 - channels(root): `"nixos-19.03pre155123.32bcd72bf28, nixpkgs-19.03pre154774.cefd0f7e86b"`
 - nixpkgs: `/home/rokka/.nix-defexpr/channels/nixpkgs`

[rokka@derGeraet:~]$ nixos-option programs.light.enable
Value:
true

Default:
false

Example:


Description:

"Whether to install Light backlight control with setuid wrapper.\n"

Declared by:
  "/home/rokka/.nix-defexpr/channels/nixpkgs/nixos/modules/programs/light.nix"

Defined by:
  "/etc/nixos/configuration.nix"

[rokka@derGeraet:~]$ nixos-option security.wrappers.light.source
This attribute set contains:

Yes, this is the full output of nixos-option security.wrappers.light.source

[rokka@derGeraet:~]$ sudo ls /run/wrappers/bin/light
[sudo] password for rokka:
ls: cannot access '/run/wrappers/bin/light': No such file or directory

[rokka@derGeraet:~]$ ls /run/wrappers/bin/
dbus-daemon-launch-helper       newgidmap       passwd       polkit-agent-helper-1       sudoedit
dbus-daemon-launch-helper.real  newgidmap.real  passwd.real  polkit-agent-helper-1.real  sudoedit.real
fusermount                      newgrp          ping         sg                          sudo.real
fusermount3                     newgrp.real     ping.real    sg.real                     su.real
fusermount3.real                newuidmap       pkexec       su                          unix_chkpwd
fusermount.real                 newuidmap.real  pkexec.real  sudo                        unix_chkpwd.real

[rokka@derGeraet:~]$ which light
/run/current-system/sw/bin/light

[rokka@derGeraet:~]$ sudo grep light /run/current-system/activate
[sudo] password for rokka:

yes, it has no output at all

[xaverdh]

As a workaround I suggest doing (as per https://haikarainen.github.io/light/):

services.udev.extraRules = ''
ACTION=="add", SUBSYSTEM=="backlight", RUN+="${pkgs.coreutils}/bin/chgrp video %S%p/brightness", RUN+="${pkgs.coreutils}/bin/chmod g+w %S%p/brightness"
'';

services.udev.path = [
pkgs.coreutils # for chgrp
];

then add your user account to the video group (users.extraUsers.<name>.extraGroups) and add light to your systemPackages instead of setting programs.light.enable.

[dtzWill]

Hmm do you have #47544 in the commit you're using? It does those things for you, and should have different text in nixos-option. Try updating I suppose, and please report if any of that is needed beyond enabling and adding yourself to the group.

[emmanuelrosa]

I'm encountering the same issue.

For some reason light is not getting wrapped when programs.light.enable = true. I've narrowed it down to missing code in the activation script. The activation script is supposed to contain a chunk of code that looks something like this:

cp /nix/store/*-security-wrapper/bin/security-wrapper $wrapperDir/light
echo -n "/nix/store/*-light-*/bin/light" > $wrapperDir/light.real

# Prevent races
chmod 0000 $wrapperDir/light
chown root.nogroup $wrapperDir/light

chmod "u+s,g-s,u+rx,g+x,o+x" $wrapperDir/light

However, said chunk of code is missing. Here's my activation script (NixOS Loris, commit 777e94d):

#! /nix/store/cinw572b38aln37glr0zb8lxwrgaffl4-bash-4.4-p23/bin/bash

systemConfig=/nix/store/v49n276ycj9kwcyqpr76inqmbjscy523-nixos-system-nixos-laptop-19.09.git.777e94d

export PATH=/empty
for i in /nix/store/d9s1kq1bnwqgxwcvv4zrc36ysnxg8gv7-coreutils-8.30 /nix/store/wnjv27b3j6jfdl0968xpcymlc7chpqil-gnugrep-3.3 /nix/store/krhqmaqal0gklh15rs2bwrqzz8mg9lrn-findutils-4.6.0 /nix/store/1dppisyngjln0m2fzvyzh0gj9wf9i12x-getent-1003.1-2008 /nix/store/f5wl80zkrd3fc1jxsljmnpn7y02lz6v1-glibc-2.27-bin /nix/store/hciblqqf5fwasmiac3ciw30h574nf6kk-shadow-4.6 /nix/store/zmbhwb6l8nvqsxligbsvxm99jbbnbx70-net-tools-1.60_p20170221182432 /nix/store/96jfbs5vj01fiiz6s81wzfvrxhdx0rm5-util-linux-2.33.1-bin; do
    PATH=$PATH:$i/bin:$i/sbin
done

_status=0
trap "_status=1 _localstatus=\$?" ERR

# Ensure a consistent umask.
umask 0022

#### Activation script snippet stdio:
_localstatus=0


if (( _localstatus > 0 )); then
  printf "Activation script snippet '%s' failed (%s)\n" "stdio" "$_localstatus"
fi

#### Activation script snippet binsh:
_localstatus=0
# Create the required /bin/sh symlink; otherwise lots of things
# (notably the system() function) won't work.
mkdir -m 0755 -p /bin
ln -sfn "/nix/store/mcyvp1s45scjkkhyb1m16aqlsb8wr6hs-bash-interactive-4.4-p23/bin/sh" /bin/.sh.tmp
mv /bin/.sh.tmp /bin/sh # atomically replace /bin/sh


if (( _localstatus > 0 )); then
  printf "Activation script snippet '%s' failed (%s)\n" "binsh" "$_localstatus"
fi

#### Activation script snippet domain:
_localstatus=0


if (( _localstatus > 0 )); then
  printf "Activation script snippet '%s' failed (%s)\n" "domain" "$_localstatus"
fi

#### Activation script snippet users:
_localstatus=0
install -m 0700 -d /root
install -m 0755 -d /home

/nix/store/kiapz3kjvb46jbvswdjkmrzg0s4l2zm7-perl-5.28.1/bin/perl -w \
  -I/nix/store/rf4q26ivs49mm45cxgjj35knl08gkx8p-perl5.28.1-File-Slurp-9999.25/lib/perl5/site_perl \
  -I/nix/store/b92bmz80n5pj5k50x32bfr97p3d60zyf-perl5.28.1-JSON-4.00/lib/perl5/site_perl \
  /nix/store/1hkp2n6hz3ybf2rvkjkwrzgbjkrrakzl-update-users-groups.pl /nix/store/s5bs9c487fv77dh3b8kkamr242gqjiqz-users-groups.json


if (( _localstatus > 0 )); then
  printf "Activation script snippet '%s' failed (%s)\n" "users" "$_localstatus"
fi

#### Activation script snippet groups:
_localstatus=0


if (( _localstatus > 0 )); then
  printf "Activation script snippet '%s' failed (%s)\n" "groups" "$_localstatus"
fi

#### Activation script snippet etc:
_localstatus=0
# Set up the statically computed bits of /etc.
echo "setting up /etc..."
/nix/store/kiapz3kjvb46jbvswdjkmrzg0s4l2zm7-perl-5.28.1/bin/perl -I/nix/store/rf4q26ivs49mm45cxgjj35knl08gkx8p-perl5.28.1-File-Slurp-9999.25/lib/perl5/site_perl /nix/store/vn1xs9s2akf79y1pbya2qldydbf2b22m-setup-etc.pl /nix/store/vjib1rlgaznvvqrwmlq3kh139p4r46h1-etc/etc


if (( _localstatus > 0 )); then
  printf "Activation script snippet '%s' failed (%s)\n" "etc" "$_localstatus"
fi

#### Activation script snippet hostname:
_localstatus=0
hostname "nixos-laptop"


if (( _localstatus > 0 )); then
  printf "Activation script snippet '%s' failed (%s)\n" "hostname" "$_localstatus"
fi

#### Activation script snippet specialfs:
_localstatus=0
specialMount() {
  local device="$1"
  local mountPoint="$2"
  local options="$3"
  local fsType="$4"

  if mountpoint -q "$mountPoint"; then
    local options="remount,$options"
  else
    mkdir -m 0755 -p "$mountPoint"
  fi
  mount -t "$fsType" -o "$options" "$device" "$mountPoint"
}
source /nix/store/4pprvrkcfsc560b6v72raymy0f0ziiw6-mounts.sh


if (( _localstatus > 0 )); then
  printf "Activation script snippet '%s' failed (%s)\n" "specialfs" "$_localstatus"
fi

#### Activation script snippet modprobe:
_localstatus=0
# Allow the kernel to find our wrapped modprobe (which searches
# in the right location in the Nix store for kernel modules).
# We need this when the kernel (or some module) auto-loads a
# module.
echo /nix/store/9p1j0gh1z3gahl1nvg637f96yb7djyg2-kmod-25/bin/modprobe > /proc/sys/kernel/modprobe


if (( _localstatus > 0 )); then
  printf "Activation script snippet '%s' failed (%s)\n" "modprobe" "$_localstatus"
fi

#### Activation script snippet nix:
_localstatus=0
# Nix initialisation.
install -m 0755 -d \
  /nix/var/nix/gcroots \
  /nix/var/nix/temproots \
  /nix/var/nix/userpool \
  /nix/var/nix/profiles \
  /nix/var/nix/db \
  /nix/var/log/nix/drvs
install -m 1777 -d \
  /nix/var/nix/gcroots/per-user \
  /nix/var/nix/profiles/per-user \
  /nix/var/nix/gcroots/tmp


if (( _localstatus > 0 )); then
  printf "Activation script snippet '%s' failed (%s)\n" "nix" "$_localstatus"
fi

#### Activation script snippet var:
_localstatus=0
# Various log/runtime directories.

mkdir -m 1777 -p /var/tmp

# Empty, immutable home directory of many system accounts.
mkdir -p /var/empty
# Make sure it's really empty
/nix/store/qzrrw4ycnsj99488xv1v2rwmmjf3q9wr-e2fsprogs-1.44.5-bin/bin/chattr -f -i /var/empty || true
find /var/empty -mindepth 1 -delete
chmod 0555 /var/empty
chown root:root /var/empty
/nix/store/qzrrw4ycnsj99488xv1v2rwmmjf3q9wr-e2fsprogs-1.44.5-bin/bin/chattr -f +i /var/empty || true


if (( _localstatus > 0 )); then
  printf "Activation script snippet '%s' failed (%s)\n" "var" "$_localstatus"
fi

#### Activation script snippet resolvconf:
_localstatus=0
# Systemd resolved controls its own resolv.conf
rm -f /run/resolvconf/interfaces/systemd


# Make sure resolv.conf is up to date if not managed manually or by systemd
/nix/store/288qfr48xix808jiz676sfxwdc8ppjp5-openresolv-3.9.0/bin/resolvconf -u



if (( _localstatus > 0 )); then
  printf "Activation script snippet '%s' failed (%s)\n" "resolvconf" "$_localstatus"
fi

#### Activation script snippet udevd:
_localstatus=0
# The deprecated hotplug uevent helper is not used anymore
if [ -e /proc/sys/kernel/hotplug ]; then
  echo "" > /proc/sys/kernel/hotplug
fi

# Allow the kernel to find our firmware.
if [ -e /sys/module/firmware_class/parameters/path ]; then
  echo -n "/nix/store/l520474vfisll1z5hv60aa5h163072hl-firmware/lib/firmware" > /sys/module/firmware_class/parameters/path
fi


if (( _localstatus > 0 )); then
  printf "Activation script snippet '%s' failed (%s)\n" "udevd" "$_localstatus"
fi

#### Activation script snippet udisks2:
_localstatus=0
mkdir -m 0755 -p /var/lib/udisks2


if (( _localstatus > 0 )); then
  printf "Activation script snippet '%s' failed (%s)\n" "udisks2" "$_localstatus"
fi

#### Activation script snippet usrbinenv:
_localstatus=0
mkdir -m 0755 -p /usr/bin
ln -sfn /nix/store/d9s1kq1bnwqgxwcvv4zrc36ysnxg8gv7-coreutils-8.30/bin/env /usr/bin/.env.tmp
mv /usr/bin/.env.tmp /usr/bin/env # atomically replace /usr/bin/env


if (( _localstatus > 0 )); then
  printf "Activation script snippet '%s' failed (%s)\n" "usrbinenv" "$_localstatus"
fi

#### Activation script snippet wrappers:
_localstatus=0
# Look in the system path and in the default profile for
# programs to be wrapped.
WRAPPER_PATH=/nix/store/z3hhfzm5w7nniy9d19v2yp342mjbmfnj-system-path/bin:/nix/store/z3hhfzm5w7nniy9d19v2yp342mjbmfnj-system-path/sbin

# We want to place the tmpdirs for the wrappers to the parent dir.
wrapperDir=$(mktemp --directory --tmpdir="/run/wrappers" wrappers.XXXXXXXXXX)
chmod a+rx $wrapperDir

cp /nix/store/r49crjh43kjiis3pvbkb1562innv1j9v-security-wrapper/bin/security-wrapper $wrapperDir/dbus-daemon-launch-helper
echo -n "/nix/store/vf3kimm17wqbs63zh5kz85q114q28p0z-dbus-1.12.12/libexec/dbus-daemon-launch-helper" > $wrapperDir/dbus-daemon-launch-helper.real

# Prevent races
chmod 0000 $wrapperDir/dbus-daemon-launch-helper
chown root.messagebus $wrapperDir/dbus-daemon-launch-helper

chmod "u+s,g-s,u+rx,g+rx,o-rx" $wrapperDir/dbus-daemon-launch-helper

cp /nix/store/r49crjh43kjiis3pvbkb1562innv1j9v-security-wrapper/bin/security-wrapper $wrapperDir/fusermount
echo -n "/nix/store/0rz1lb2lmx250ga94y9zrffzwgh1qx9s-fuse-2.9.9/bin/fusermount" > $wrapperDir/fusermount.real

# Prevent races
chmod 0000 $wrapperDir/fusermount
chown root.root $wrapperDir/fusermount

chmod "u+s,g-s,u+rx,g+x,o+x" $wrapperDir/fusermount

cp /nix/store/r49crjh43kjiis3pvbkb1562innv1j9v-security-wrapper/bin/security-wrapper $wrapperDir/fusermount3
echo -n "/nix/store/47yj0mrlx5ybslpfyi7js9v3hgpmwznx-fuse-3.4.1/bin/fusermount3" > $wrapperDir/fusermount3.real

# Prevent races
chmod 0000 $wrapperDir/fusermount3
chown root.root $wrapperDir/fusermount3

chmod "u+s,g-s,u+rx,g+x,o+x" $wrapperDir/fusermount3

cp /nix/store/r49crjh43kjiis3pvbkb1562innv1j9v-security-wrapper/bin/security-wrapper $wrapperDir/newgidmap
echo -n "/nix/store/hciblqqf5fwasmiac3ciw30h574nf6kk-shadow-4.6/bin/newgidmap" > $wrapperDir/newgidmap.real

# Prevent races
chmod 0000 $wrapperDir/newgidmap
chown root.root $wrapperDir/newgidmap

chmod "u+s,g-s,u+rx,g+x,o+x" $wrapperDir/newgidmap

cp /nix/store/r49crjh43kjiis3pvbkb1562innv1j9v-security-wrapper/bin/security-wrapper $wrapperDir/newgrp
echo -n "/nix/store/hciblqqf5fwasmiac3ciw30h574nf6kk-shadow-4.6/bin/newgrp" > $wrapperDir/newgrp.real

# Prevent races
chmod 0000 $wrapperDir/newgrp
chown root.root $wrapperDir/newgrp

chmod "u+s,g-s,u+rx,g+x,o+x" $wrapperDir/newgrp

cp /nix/store/r49crjh43kjiis3pvbkb1562innv1j9v-security-wrapper/bin/security-wrapper $wrapperDir/newuidmap
echo -n "/nix/store/hciblqqf5fwasmiac3ciw30h574nf6kk-shadow-4.6/bin/newuidmap" > $wrapperDir/newuidmap.real

# Prevent races
chmod 0000 $wrapperDir/newuidmap
chown root.root $wrapperDir/newuidmap

chmod "u+s,g-s,u+rx,g+x,o+x" $wrapperDir/newuidmap

cp /nix/store/r49crjh43kjiis3pvbkb1562innv1j9v-security-wrapper/bin/security-wrapper $wrapperDir/passwd
echo -n "/nix/store/hciblqqf5fwasmiac3ciw30h574nf6kk-shadow-4.6/bin/passwd" > $wrapperDir/passwd.real

# Prevent races
chmod 0000 $wrapperDir/passwd
chown root.root $wrapperDir/passwd

chmod "u+s,g-s,u+rx,g+x,o+x" $wrapperDir/passwd

cp /nix/store/r49crjh43kjiis3pvbkb1562innv1j9v-security-wrapper/bin/security-wrapper $wrapperDir/ping
echo -n "/nix/store/22nfcbw7n7yd87yql537pma23h47bfzz-iputils-20180629/bin/ping" > $wrapperDir/ping.real

# Prevent races
chmod 0000 $wrapperDir/ping
chown root.root $wrapperDir/ping

# Set desired capabilities on the file plus cap_setpcap so
# the wrapper program can elevate the capabilities set on
# its file into the Ambient set.
/nix/store/22qfvavs0hmg1vh2jwh0cal7apj0g0x0-libcap-2.26/bin/setcap "cap_setpcap,cap_net_raw+p" $wrapperDir/ping

# Set the executable bit
chmod u+rx,g+x,o+x $wrapperDir/ping

cp /nix/store/r49crjh43kjiis3pvbkb1562innv1j9v-security-wrapper/bin/security-wrapper $wrapperDir/pkexec
echo -n "/nix/store/g5r63nlmlzn8n6v7ahrfii0b5pk55lar-polkit-0.115-bin/bin/pkexec" > $wrapperDir/pkexec.real

# Prevent races
chmod 0000 $wrapperDir/pkexec
chown root.root $wrapperDir/pkexec

chmod "u+s,g-s,u+rx,g+x,o+x" $wrapperDir/pkexec

cp /nix/store/r49crjh43kjiis3pvbkb1562innv1j9v-security-wrapper/bin/security-wrapper $wrapperDir/polkit-agent-helper-1
echo -n "/nix/store/r1b8ggg8w9kmdv9fjrir17qxbh1p38sj-polkit-0.115/lib/polkit-1/polkit-agent-helper-1" > $wrapperDir/polkit-agent-helper-1.real

# Prevent races
chmod 0000 $wrapperDir/polkit-agent-helper-1
chown root.root $wrapperDir/polkit-agent-helper-1

chmod "u+s,g-s,u+rx,g+x,o+x" $wrapperDir/polkit-agent-helper-1

cp /nix/store/r49crjh43kjiis3pvbkb1562innv1j9v-security-wrapper/bin/security-wrapper $wrapperDir/sg
echo -n "/nix/store/hciblqqf5fwasmiac3ciw30h574nf6kk-shadow-4.6/bin/sg" > $wrapperDir/sg.real

# Prevent races
chmod 0000 $wrapperDir/sg
chown root.root $wrapperDir/sg

chmod "u+s,g-s,u+rx,g+x,o+x" $wrapperDir/sg

cp /nix/store/r49crjh43kjiis3pvbkb1562innv1j9v-security-wrapper/bin/security-wrapper $wrapperDir/su
echo -n "/nix/store/c4w7l847prnan6zzhx718c788bdkrg02-shadow-4.6-su/bin/su" > $wrapperDir/su.real

# Prevent races
chmod 0000 $wrapperDir/su
chown root.root $wrapperDir/su

chmod "u+s,g-s,u+rx,g+x,o+x" $wrapperDir/su

cp /nix/store/r49crjh43kjiis3pvbkb1562innv1j9v-security-wrapper/bin/security-wrapper $wrapperDir/sudo
echo -n "/nix/store/nik1ylfpjy80pi7qq0llvv7r359bq9s9-sudo-1.8.27/bin/sudo" > $wrapperDir/sudo.real

# Prevent races
chmod 0000 $wrapperDir/sudo
chown root.root $wrapperDir/sudo

chmod "u+s,g-s,u+rx,g+x,o+x" $wrapperDir/sudo

cp /nix/store/r49crjh43kjiis3pvbkb1562innv1j9v-security-wrapper/bin/security-wrapper $wrapperDir/sudoedit
echo -n "/nix/store/nik1ylfpjy80pi7qq0llvv7r359bq9s9-sudo-1.8.27/bin/sudoedit" > $wrapperDir/sudoedit.real

# Prevent races
chmod 0000 $wrapperDir/sudoedit
chown root.root $wrapperDir/sudoedit

chmod "u+s,g-s,u+rx,g+x,o+x" $wrapperDir/sudoedit

cp /nix/store/r49crjh43kjiis3pvbkb1562innv1j9v-security-wrapper/bin/security-wrapper $wrapperDir/unix_chkpwd
echo -n "/nix/store/wm300mkfk9sfx2lv3rcblqm8bza673g0-linux-pam-1.3.0/sbin/unix_chkpwd.orig" > $wrapperDir/unix_chkpwd.real

# Prevent races
chmod 0000 $wrapperDir/unix_chkpwd
chown root.nogroup $wrapperDir/unix_chkpwd

chmod "u+s,g-s,u+rx,g+x,o+x" $wrapperDir/unix_chkpwd


if [ -L /run/wrappers/bin ]; then
  # Atomically replace the symlink
  # See https://axialcorps.com/2013/07/03/atomically-replacing-files-and-directories/
  old=$(readlink -f /run/wrappers/bin)
  ln --symbolic --force --no-dereference $wrapperDir /run/wrappers/bin-tmp
  mv --no-target-directory /run/wrappers/bin-tmp /run/wrappers/bin
  rm --force --recursive $old
else
  # For initial setup
  ln --symbolic $wrapperDir /run/wrappers/bin
fi


if (( _localstatus > 0 )); then
  printf "Activation script snippet '%s' failed (%s)\n" "wrappers" "$_localstatus"
fi


# Make this configuration the current configuration.
# The readlink is there to ensure that when $systemConfig = /system
# (which is a symlink to the store), /run/current-system is still
# used as a garbage collection root.
ln -sfn "$(readlink -f "$systemConfig")" /run/current-system

# Prevent the current configuration from being garbage-collected.
ln -sfn /run/current-system /nix/var/nix/gcroots/current-system

exit $_status

[dtzWill]

`light` no longer uses a suid binary, instead you should add user(s) to `video` group. This is in the NixOS manual, for versions since this change. LMK if this doesn't work for you!

…

On Sun, 10 Mar 2019 06:47:30 -0700, Emmanuel Rosa ***@***.***> wrote: I'm encountering the same issue. For some reason `light` is not getting wrapped when `programs.light.enable = true`. I've narrowed it down to missing code in the activation script. The activation script is supposed to contain a chunk of code that looks something like this: ``` cp /nix/store/*-security-wrapper/bin/security-wrapper $wrapperDir/light echo -n "/nix/store/*-light-*/bin/light" > $wrapperDir/light.real # Prevent races chmod 0000 $wrapperDir/light chown root.nogroup $wrapperDir/light chmod "u+s,g-s,u+rx,g+x,o+x" $wrapperDir/light ``` However, said chunk of code is missing. Here's my activation script (NixOS Loris, commit 777e94d): ``` #! /nix/store/cinw572b38aln37glr0zb8lxwrgaffl4-bash-4.4-p23/bin/bash systemConfig=/nix/store/v49n276ycj9kwcyqpr76inqmbjscy523-nixos-system-nixos-laptop-19.09.git.777e94d export PATH=/empty for i in /nix/store/d9s1kq1bnwqgxwcvv4zrc36ysnxg8gv7-coreutils-8.30 /nix/store/wnjv27b3j6jfdl0968xpcymlc7chpqil-gnugrep-3.3 /nix/store/krhqmaqal0gklh15rs2bwrqzz8mg9lrn-findutils-4.6.0 /nix/store/1dppisyngjln0m2fzvyzh0gj9wf9i12x-getent-1003.1-2008 /nix/store/f5wl80zkrd3fc1jxsljmnpn7y02lz6v1-glibc-2.27-bin /nix/store/hciblqqf5fwasmiac3ciw30h574nf6kk-shadow-4.6 /nix/store/zmbhwb6l8nvqsxligbsvxm99jbbnbx70-net-tools-1.60_p20170221182432 /nix/store/96jfbs5vj01fiiz6s81wzfvrxhdx0rm5-util-linux-2.33.1-bin; do PATH=$PATH:$i/bin:$i/sbin done _status=0 trap "_status=1 _localstatus=\$?" ERR # Ensure a consistent umask. umask 0022 #### Activation script snippet stdio: _localstatus=0 if (( _localstatus > 0 )); then printf "Activation script snippet '%s' failed (%s)\n" "stdio" "$_localstatus" fi #### Activation script snippet binsh: _localstatus=0 # Create the required /bin/sh symlink; otherwise lots of things # (notably the system() function) won't work. mkdir -m 0755 -p /bin ln -sfn "/nix/store/mcyvp1s45scjkkhyb1m16aqlsb8wr6hs-bash-interactive-4.4-p23/bin/sh" /bin/.sh.tmp mv /bin/.sh.tmp /bin/sh # atomically replace /bin/sh if (( _localstatus > 0 )); then printf "Activation script snippet '%s' failed (%s)\n" "binsh" "$_localstatus" fi #### Activation script snippet domain: _localstatus=0 if (( _localstatus > 0 )); then printf "Activation script snippet '%s' failed (%s)\n" "domain" "$_localstatus" fi #### Activation script snippet users: _localstatus=0 install -m 0700 -d /root install -m 0755 -d /home /nix/store/kiapz3kjvb46jbvswdjkmrzg0s4l2zm7-perl-5.28.1/bin/perl -w \ -I/nix/store/rf4q26ivs49mm45cxgjj35knl08gkx8p-perl5.28.1-File-Slurp-9999.25/lib/perl5/site_perl \ -I/nix/store/b92bmz80n5pj5k50x32bfr97p3d60zyf-perl5.28.1-JSON-4.00/lib/perl5/site_perl \ /nix/store/1hkp2n6hz3ybf2rvkjkwrzgbjkrrakzl-update-users-groups.pl /nix/store/s5bs9c487fv77dh3b8kkamr242gqjiqz-users-groups.json if (( _localstatus > 0 )); then printf "Activation script snippet '%s' failed (%s)\n" "users" "$_localstatus" fi #### Activation script snippet groups: _localstatus=0 if (( _localstatus > 0 )); then printf "Activation script snippet '%s' failed (%s)\n" "groups" "$_localstatus" fi #### Activation script snippet etc: _localstatus=0 # Set up the statically computed bits of /etc. echo "setting up /etc..." /nix/store/kiapz3kjvb46jbvswdjkmrzg0s4l2zm7-perl-5.28.1/bin/perl -I/nix/store/rf4q26ivs49mm45cxgjj35knl08gkx8p-perl5.28.1-File-Slurp-9999.25/lib/perl5/site_perl /nix/store/vn1xs9s2akf79y1pbya2qldydbf2b22m-setup-etc.pl /nix/store/vjib1rlgaznvvqrwmlq3kh139p4r46h1-etc/etc if (( _localstatus > 0 )); then printf "Activation script snippet '%s' failed (%s)\n" "etc" "$_localstatus" fi #### Activation script snippet hostname: _localstatus=0 hostname "nixos-laptop" if (( _localstatus > 0 )); then printf "Activation script snippet '%s' failed (%s)\n" "hostname" "$_localstatus" fi #### Activation script snippet specialfs: _localstatus=0 specialMount() { local device="$1" local mountPoint="$2" local options="$3" local fsType="$4" if mountpoint -q "$mountPoint"; then local options="remount,$options" else mkdir -m 0755 -p "$mountPoint" fi mount -t "$fsType" -o "$options" "$device" "$mountPoint" } source /nix/store/4pprvrkcfsc560b6v72raymy0f0ziiw6-mounts.sh if (( _localstatus > 0 )); then printf "Activation script snippet '%s' failed (%s)\n" "specialfs" "$_localstatus" fi #### Activation script snippet modprobe: _localstatus=0 # Allow the kernel to find our wrapped modprobe (which searches # in the right location in the Nix store for kernel modules). # We need this when the kernel (or some module) auto-loads a # module. echo /nix/store/9p1j0gh1z3gahl1nvg637f96yb7djyg2-kmod-25/bin/modprobe > /proc/sys/kernel/modprobe if (( _localstatus > 0 )); then printf "Activation script snippet '%s' failed (%s)\n" "modprobe" "$_localstatus" fi #### Activation script snippet nix: _localstatus=0 # Nix initialisation. install -m 0755 -d \ /nix/var/nix/gcroots \ /nix/var/nix/temproots \ /nix/var/nix/userpool \ /nix/var/nix/profiles \ /nix/var/nix/db \ /nix/var/log/nix/drvs install -m 1777 -d \ /nix/var/nix/gcroots/per-user \ /nix/var/nix/profiles/per-user \ /nix/var/nix/gcroots/tmp if (( _localstatus > 0 )); then printf "Activation script snippet '%s' failed (%s)\n" "nix" "$_localstatus" fi #### Activation script snippet var: _localstatus=0 # Various log/runtime directories. mkdir -m 1777 -p /var/tmp # Empty, immutable home directory of many system accounts. mkdir -p /var/empty # Make sure it's really empty /nix/store/qzrrw4ycnsj99488xv1v2rwmmjf3q9wr-e2fsprogs-1.44.5-bin/bin/chattr -f -i /var/empty || true find /var/empty -mindepth 1 -delete chmod 0555 /var/empty chown root:root /var/empty /nix/store/qzrrw4ycnsj99488xv1v2rwmmjf3q9wr-e2fsprogs-1.44.5-bin/bin/chattr -f +i /var/empty || true if (( _localstatus > 0 )); then printf "Activation script snippet '%s' failed (%s)\n" "var" "$_localstatus" fi #### Activation script snippet resolvconf: _localstatus=0 # Systemd resolved controls its own resolv.conf rm -f /run/resolvconf/interfaces/systemd # Make sure resolv.conf is up to date if not managed manually or by systemd /nix/store/288qfr48xix808jiz676sfxwdc8ppjp5-openresolv-3.9.0/bin/resolvconf -u if (( _localstatus > 0 )); then printf "Activation script snippet '%s' failed (%s)\n" "resolvconf" "$_localstatus" fi #### Activation script snippet udevd: _localstatus=0 # The deprecated hotplug uevent helper is not used anymore if [ -e /proc/sys/kernel/hotplug ]; then echo "" > /proc/sys/kernel/hotplug fi # Allow the kernel to find our firmware. if [ -e /sys/module/firmware_class/parameters/path ]; then echo -n "/nix/store/l520474vfisll1z5hv60aa5h163072hl-firmware/lib/firmware" > /sys/module/firmware_class/parameters/path fi if (( _localstatus > 0 )); then printf "Activation script snippet '%s' failed (%s)\n" "udevd" "$_localstatus" fi #### Activation script snippet udisks2: _localstatus=0 mkdir -m 0755 -p /var/lib/udisks2 if (( _localstatus > 0 )); then printf "Activation script snippet '%s' failed (%s)\n" "udisks2" "$_localstatus" fi #### Activation script snippet usrbinenv: _localstatus=0 mkdir -m 0755 -p /usr/bin ln -sfn /nix/store/d9s1kq1bnwqgxwcvv4zrc36ysnxg8gv7-coreutils-8.30/bin/env /usr/bin/.env.tmp mv /usr/bin/.env.tmp /usr/bin/env # atomically replace /usr/bin/env if (( _localstatus > 0 )); then printf "Activation script snippet '%s' failed (%s)\n" "usrbinenv" "$_localstatus" fi #### Activation script snippet wrappers: _localstatus=0 # Look in the system path and in the default profile for # programs to be wrapped. WRAPPER_PATH=/nix/store/z3hhfzm5w7nniy9d19v2yp342mjbmfnj-system-path/bin:/nix/store/z3hhfzm5w7nniy9d19v2yp342mjbmfnj-system-path/sbin # We want to place the tmpdirs for the wrappers to the parent dir. wrapperDir=$(mktemp --directory --tmpdir="/run/wrappers" wrappers.XXXXXXXXXX) chmod a+rx $wrapperDir cp /nix/store/r49crjh43kjiis3pvbkb1562innv1j9v-security-wrapper/bin/security-wrapper $wrapperDir/dbus-daemon-launch-helper echo -n "/nix/store/vf3kimm17wqbs63zh5kz85q114q28p0z-dbus-1.12.12/libexec/dbus-daemon-launch-helper" > $wrapperDir/dbus-daemon-launch-helper.real # Prevent races chmod 0000 $wrapperDir/dbus-daemon-launch-helper chown root.messagebus $wrapperDir/dbus-daemon-launch-helper chmod "u+s,g-s,u+rx,g+rx,o-rx" $wrapperDir/dbus-daemon-launch-helper cp /nix/store/r49crjh43kjiis3pvbkb1562innv1j9v-security-wrapper/bin/security-wrapper $wrapperDir/fusermount echo -n "/nix/store/0rz1lb2lmx250ga94y9zrffzwgh1qx9s-fuse-2.9.9/bin/fusermount" > $wrapperDir/fusermount.real # Prevent races chmod 0000 $wrapperDir/fusermount chown root.root $wrapperDir/fusermount chmod "u+s,g-s,u+rx,g+x,o+x" $wrapperDir/fusermount cp /nix/store/r49crjh43kjiis3pvbkb1562innv1j9v-security-wrapper/bin/security-wrapper $wrapperDir/fusermount3 echo -n "/nix/store/47yj0mrlx5ybslpfyi7js9v3hgpmwznx-fuse-3.4.1/bin/fusermount3" > $wrapperDir/fusermount3.real # Prevent races chmod 0000 $wrapperDir/fusermount3 chown root.root $wrapperDir/fusermount3 chmod "u+s,g-s,u+rx,g+x,o+x" $wrapperDir/fusermount3 cp /nix/store/r49crjh43kjiis3pvbkb1562innv1j9v-security-wrapper/bin/security-wrapper $wrapperDir/newgidmap echo -n "/nix/store/hciblqqf5fwasmiac3ciw30h574nf6kk-shadow-4.6/bin/newgidmap" > $wrapperDir/newgidmap.real # Prevent races chmod 0000 $wrapperDir/newgidmap chown root.root $wrapperDir/newgidmap chmod "u+s,g-s,u+rx,g+x,o+x" $wrapperDir/newgidmap cp /nix/store/r49crjh43kjiis3pvbkb1562innv1j9v-security-wrapper/bin/security-wrapper $wrapperDir/newgrp echo -n "/nix/store/hciblqqf5fwasmiac3ciw30h574nf6kk-shadow-4.6/bin/newgrp" > $wrapperDir/newgrp.real # Prevent races chmod 0000 $wrapperDir/newgrp chown root.root $wrapperDir/newgrp chmod "u+s,g-s,u+rx,g+x,o+x" $wrapperDir/newgrp cp /nix/store/r49crjh43kjiis3pvbkb1562innv1j9v-security-wrapper/bin/security-wrapper $wrapperDir/newuidmap echo -n "/nix/store/hciblqqf5fwasmiac3ciw30h574nf6kk-shadow-4.6/bin/newuidmap" > $wrapperDir/newuidmap.real # Prevent races chmod 0000 $wrapperDir/newuidmap chown root.root $wrapperDir/newuidmap chmod "u+s,g-s,u+rx,g+x,o+x" $wrapperDir/newuidmap cp /nix/store/r49crjh43kjiis3pvbkb1562innv1j9v-security-wrapper/bin/security-wrapper $wrapperDir/passwd echo -n "/nix/store/hciblqqf5fwasmiac3ciw30h574nf6kk-shadow-4.6/bin/passwd" > $wrapperDir/passwd.real # Prevent races chmod 0000 $wrapperDir/passwd chown root.root $wrapperDir/passwd chmod "u+s,g-s,u+rx,g+x,o+x" $wrapperDir/passwd cp /nix/store/r49crjh43kjiis3pvbkb1562innv1j9v-security-wrapper/bin/security-wrapper $wrapperDir/ping echo -n "/nix/store/22nfcbw7n7yd87yql537pma23h47bfzz-iputils-20180629/bin/ping" > $wrapperDir/ping.real # Prevent races chmod 0000 $wrapperDir/ping chown root.root $wrapperDir/ping # Set desired capabilities on the file plus cap_setpcap so # the wrapper program can elevate the capabilities set on # its file into the Ambient set. /nix/store/22qfvavs0hmg1vh2jwh0cal7apj0g0x0-libcap-2.26/bin/setcap "cap_setpcap,cap_net_raw+p" $wrapperDir/ping # Set the executable bit chmod u+rx,g+x,o+x $wrapperDir/ping cp /nix/store/r49crjh43kjiis3pvbkb1562innv1j9v-security-wrapper/bin/security-wrapper $wrapperDir/pkexec echo -n "/nix/store/g5r63nlmlzn8n6v7ahrfii0b5pk55lar-polkit-0.115-bin/bin/pkexec" > $wrapperDir/pkexec.real # Prevent races chmod 0000 $wrapperDir/pkexec chown root.root $wrapperDir/pkexec chmod "u+s,g-s,u+rx,g+x,o+x" $wrapperDir/pkexec cp /nix/store/r49crjh43kjiis3pvbkb1562innv1j9v-security-wrapper/bin/security-wrapper $wrapperDir/polkit-agent-helper-1 echo -n "/nix/store/r1b8ggg8w9kmdv9fjrir17qxbh1p38sj-polkit-0.115/lib/polkit-1/polkit-agent-helper-1" > $wrapperDir/polkit-agent-helper-1.real # Prevent races chmod 0000 $wrapperDir/polkit-agent-helper-1 chown root.root $wrapperDir/polkit-agent-helper-1 chmod "u+s,g-s,u+rx,g+x,o+x" $wrapperDir/polkit-agent-helper-1 cp /nix/store/r49crjh43kjiis3pvbkb1562innv1j9v-security-wrapper/bin/security-wrapper $wrapperDir/sg echo -n "/nix/store/hciblqqf5fwasmiac3ciw30h574nf6kk-shadow-4.6/bin/sg" > $wrapperDir/sg.real # Prevent races chmod 0000 $wrapperDir/sg chown root.root $wrapperDir/sg chmod "u+s,g-s,u+rx,g+x,o+x" $wrapperDir/sg cp /nix/store/r49crjh43kjiis3pvbkb1562innv1j9v-security-wrapper/bin/security-wrapper $wrapperDir/su echo -n "/nix/store/c4w7l847prnan6zzhx718c788bdkrg02-shadow-4.6-su/bin/su" > $wrapperDir/su.real # Prevent races chmod 0000 $wrapperDir/su chown root.root $wrapperDir/su chmod "u+s,g-s,u+rx,g+x,o+x" $wrapperDir/su cp /nix/store/r49crjh43kjiis3pvbkb1562innv1j9v-security-wrapper/bin/security-wrapper $wrapperDir/sudo echo -n "/nix/store/nik1ylfpjy80pi7qq0llvv7r359bq9s9-sudo-1.8.27/bin/sudo" > $wrapperDir/sudo.real # Prevent races chmod 0000 $wrapperDir/sudo chown root.root $wrapperDir/sudo chmod "u+s,g-s,u+rx,g+x,o+x" $wrapperDir/sudo cp /nix/store/r49crjh43kjiis3pvbkb1562innv1j9v-security-wrapper/bin/security-wrapper $wrapperDir/sudoedit echo -n "/nix/store/nik1ylfpjy80pi7qq0llvv7r359bq9s9-sudo-1.8.27/bin/sudoedit" > $wrapperDir/sudoedit.real # Prevent races chmod 0000 $wrapperDir/sudoedit chown root.root $wrapperDir/sudoedit chmod "u+s,g-s,u+rx,g+x,o+x" $wrapperDir/sudoedit cp /nix/store/r49crjh43kjiis3pvbkb1562innv1j9v-security-wrapper/bin/security-wrapper $wrapperDir/unix_chkpwd echo -n "/nix/store/wm300mkfk9sfx2lv3rcblqm8bza673g0-linux-pam-1.3.0/sbin/unix_chkpwd.orig" > $wrapperDir/unix_chkpwd.real # Prevent races chmod 0000 $wrapperDir/unix_chkpwd chown root.nogroup $wrapperDir/unix_chkpwd chmod "u+s,g-s,u+rx,g+x,o+x" $wrapperDir/unix_chkpwd if [ -L /run/wrappers/bin ]; then # Atomically replace the symlink # See https://axialcorps.com/2013/07/03/atomically-replacing-files-and-directories/ old=$(readlink -f /run/wrappers/bin) ln --symbolic --force --no-dereference $wrapperDir /run/wrappers/bin-tmp mv --no-target-directory /run/wrappers/bin-tmp /run/wrappers/bin rm --force --recursive $old else # For initial setup ln --symbolic $wrapperDir /run/wrappers/bin fi if (( _localstatus > 0 )); then printf "Activation script snippet '%s' failed (%s)\n" "wrappers" "$_localstatus" fi # Make this configuration the current configuration. # The readlink is there to ensure that when $systemConfig = /system # (which is a symlink to the store), /run/current-system is still # used as a garbage collection root. ln -sfn "$(readlink -f "$systemConfig")" /run/current-system # Prevent the current configuration from being garbage-collected. ln -sfn /run/current-system /nix/var/nix/gcroots/current-system exit $_status ``` -- You are receiving this because you commented. Reply to this email directly or view it on GitHub: #48623 (comment) part: text/html

[emmanuelrosa]

Thank you @dtzWill

Adding myself to the video group worked 👍

[xaverdh]

Good, that udev rule is now set up!
I guess this can be closed now?

[dtzWill]

Sounds like it, yes!

[asheshambasta]

Adding myself to the video group doesn't seem to do the trick.

Here's the user data:

# Create the video group (I've added this line after just adding the user to the video group)
users.groups.video = {}; 

users.users.ashesh = { 
  isNormalUser = true;
  extraGroups = [ "wheel" "video" ]; 
}

Doing light -U 10 has no effect whatsoever, and just a blank-line is output to stdout.

---

Scratch that, I was doing something silly.

[rjpcasalino]

Sorry, I know the issue is closed but I was wondering if it'd be worth it to update https://nixos.wiki/wiki/Backlight with the video group info? Or is that doc dead now?

[SrTobi]

I have this problem at the moment. Light is working with sudo, but does nothing without.
groups command shows users wheel disk audio video networkmanager for my user.

Has something changed? or is there something I can do to investigate further?

[xaverdh]

did you set programs.light.enable = true;?

[SrTobi]

Hi, yes it was set... but also began to work now. I don't know why or what changed... maybe a restart? but I thought I already had tried to reboot.

[edrex]

Okso

• light doesn't report permission errors by default. Use light -v 3 to see errors.
• adding light package to user env doesn't install the needed udev rule, so requires sudo light .... This is as expected.
• To install the udev rule file, NixOS programs.light.enable is needed.
• To get the permissions from the rule file applied without restarting, run sudo systemctl restart systemd-udev-trigger.service. (udevadm control --reload-rules && udevadm trigger isn't sufficient, not sure why but see systemctl cat systemd-udev-trigger.service). This seems like a bug. Shouldn't installing new rule files trigger this unit to restart? I searched through past issues but didn't find a clear answer.