Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nix lock can modify lock files in the nix store and corrupt it #10139

Open
mickael9 opened this issue Mar 4, 2024 · 1 comment
Open

nix lock can modify lock files in the nix store and corrupt it #10139

mickael9 opened this issue Mar 4, 2024 · 1 comment
Assignees
@thufschmitt
Labels
bug

Comments

@mickael9
Copy link

mickael9 commented Mar 4, 2024

Describe the bug

Using --update-input can allow nix to modify the lockfile in the nix store, rendering it corrupted

Steps To Reproduce

$ export NIX_CONFIG="experimental-features = nix-command flakes"

$ nix flake info "git+https://gist.github.com/8f6fae8f7406d2bb5edd636cdcd47d37.git"
[...]
Path:          /nix/store/ym20x8nwxyg574s4159947sbrn5a2ilr-source
[...]

$ md5sum /nix/store/ym20x8nwxyg574s4159947sbrn5a2ilr-source/flake.lock 
01f01a46a97b7e78de94cce4ebfeb989  /nix/store/ym20x8nwxyg574s4159947sbrn5a2ilr-source/flake.lock

$ nix flake lock --update-input nixpkgs /nix/store/ym20x8nwxyg574s4159947sbrn5a2ilr-source
warning: '--update-input' is a deprecated alias for 'flake update' and will be removed in a future version.
warning: updating lock file '/nix/store/ym20x8nwxyg574s4159947sbrn5a2ilr-source/flake.lock':
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/1d1817869c47682a6bee85b5b0a6537b6c0fba26' (2024-02-16)
  → 'github:NixOS/nixpkgs/79baff8812a0d68e24a836df0a364c678089e2c7' (2024-03-01)

$ md5sum /nix/store/ym20x8nwxyg574s4159947sbrn5a2ilr-source/flake.lock 
095a3e64f215ba303a071ac0284816f9  /nix/store/ym20x8nwxyg574s4159947sbrn5a2ilr-source/flake.lock

$ nix store verify /nix/store/ym20x8nwxyg574s4159947sbrn5a2ilr-source 
path '/nix/store/ym20x8nwxyg574s4159947sbrn5a2ilr-source' was modified! expected hash 'sha256:0f8v47bpn5cdfvsah14ar2wljz72bprcm224g7jydqm1l8sfa5ca', got 'sha256:0lxi4zmykn5nnsdp8aa9p7q1jav8vvn34axbjgw089xp0jilflld'

Expected behavior

The store should not be modified (there should be an error, or --no-write-lock-file should be implied)

nix-env --version output
nix-env (Nix) 2.20.4

Additional context

This was discovered by following the wiki guide here:
https://nixos.wiki/wiki/Automatic_system_upgrades

With this configuration, the auto update script will run commands such as:

/nix/store/xnw2dyxxbasc6rxm7n4fq0fga2iiy1dn-nixos-rebuild/bin/nixos-rebuild switch --update-input nixpkgs -L --flake /nix/store/mis15fq6fbvv3r3pqrydk9qpxqvrn186-source --upgrade
@mickael9 mickael9 added the bug label Mar 4, 2024
@thufschmitt
Copy link
Member

I can reproduce this when running the nix flake update command as root.

My (strong) intuition is that the command will run in a mount namespace with write access to the store (because some operations require it), and Nix doesn't check that the lockfile is in the store, so overwrites it.

Quick workaround: set the NIX_REMOTE environment variable to daemon (or set the store option to daemon in /etc/nix/nix.conf) to force using the daemon, even when running as root.

@thufschmitt thufschmitt mentioned this issue Mar 4, 2024
Open
@thufschmitt thufschmitt self-assigned this Mar 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@thufschmitt thufschmitt

Labels
bug
Projects
Nix team
Status: 🏁 Review
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mickael9 @thufschmitt