[2.20.5 regression] nix eval fails with '/etc/nixos': ... is not owned by current user

[trofi]

Describe the bug

After NixOS upgraded to nix-2.20.5 some evals ran as user started failing as:

$ nix eval --impure --raw /etc/nixos#nixosConfigurations.$(hostname).config.system.build.toplevel.drvPath
error:
       … while fetching the input 'git+file:///etc/nixos'

       error: opening Git repository '/etc/nixos': repository path '/etc/nixos/' is not owned by current user

These used to work. Runing a sudo works as expected (but I think it's a needless constraint):

$ sudo nix eval --impure --raw /etc/nixos#nixosConfigurations.$(hostname).config.system.build.toplevel.drvPath
/nix/store/qr5v3hbc1hh16cgac7s6nbf5ixnp914p-nixos-system-nz-24.05.20240309.de66856.drv

Permissions and IDs:

$ ls -ld /etc/nixos
drwxr-xr-x 1 root root 1014 Mar  6 22:25 /etc/nixos

$ id
uid=1000 ...

nix-env --version output: nix-env (Nix) 2.20.5

Priorities

Add 👍 to issues you find important.

[trofi]

Currently working it around with $ git config --global --add safe.directory /etc/nixos as current user.

[thufschmitt]

Yes, that's very likely a consequence of https://nvd.nist.gov/vuln/detail/CVE-2022-24765 from the Git side.

We could probably specify the path to the git repo explicitly to disable that check when we know it's safe (and once #6464 is merged 😒 )

[arcuru]

I suspect I hit the same issue after updating. Same nix version (2.20.5) but I am using a flake repo in my home directory to manage my NixOS machine.

sudo nixos-rebuild failed because of the ownership issue, and being on nixos using a nixos-rebuild switch command failed for the user. I needed to change the ownership of my flake repo to root to let me update.

sudo works above because your /etc/nixos is owned by root.

❯ sudo nixos-rebuild switch --flake .#carbon
error:
       … while fetching the input 'git+file:///home/patrick/.dotfiles'

       error: opening Git repository '/home/patrick/.dotfiles': repository path '/home/patrick/.dotfiles/' is not owned by current user
❯ nixos-rebuild switch --flake .#carbon
building the system configuration...
error: creating symlink from '/nix/var/nix/profiles/.0_system' to 'system-745-link': Permission denied
❯ sudo chown root /home/patrick/.dotfiles/ -R
❯ sudo nixos-rebuild switch --flake .#carbon
building the system configuration
<----snipped---->

[Aleksanaa]

I can think of two workarounds for nixos-rebuild:

1. Use nixos-rebuild switch --use-remote-sudo instead of sudo nixos-rebuild switch.
2. Bind mount /etc/nixos to another path and set owner to you.

Still waiting for a proper solution.

[fricklerhandwerk]

Triaged in Nix team meeting:

• @edolstra @Ericson2314 have doubt we're vulnerable to the CVE in question, since we specify the path to the Git repo, so it shouldn't search up the tree. We may just want to disable the behavior by default.
• @fricklerhandwerk doubts this is anything but a purely flake issue (i.e. experimental does not mean stable). And doing fetchGit on a local directory would likely be holding it wrong. If you want to filter for files, use the fileset library, it's just as convenient and scales better.
  • @roberth: people use it that way, period
• If we want to disable it, have to check if it's even possible in libgit2. @trofi would you like to help out resolving the issue?

[nixos-discourse]

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/2023-03-27-nix-team-meeting-134/42961/1