Enabling the nix daemon seems to change permissions on the store to root

[druimalban]

I have been using nix with nix-darwin on my computer running MacOS for some time. Currently, I've got it working on Catalina using the approach of an extra volume mounted at /nix as per synthetic.conf.

However, a problem recently appeared (certainly within the last week) which has been difficult to pin down. It is similar to the following issue: #118.

Like that issue, I get all sorts of errors concerning lock files, but I don't use nix-gc (indeed, this is the first time I have come across it).

Because it concerns ownership, I tried changing the ownership to my user, something like chown -R user:staff /nix, but I think that is wrong and it wasn't working. In the end I had to reinstall nix. This actually worked fine for a couple of days, but then I decided to reinstall nix-darwin.

Almost immediately the problem appeared again, so I attempted to reinstall (again after deleting the store and then reinstalling nix itself). Given the issue before, I think it may be the nix daemon, so I changed the config only to set services.nix-daemon.enable = false; in darwin-configuration.nix.

I have so far not had the same problem. I think this is quite likely to be the source of the issue. The reasons for this are the experience above, but also it makes sense for installation to complete because whatever the nix daemon is doing (I assume ownership given what I have described and the similar issue) has not activated yet as it hasn't been started by launchd at that point.

I have attached several files. The first one is a sample error when I do darwin-rebuild switch. The second one is my current config (you will see the nix daemon is commented out and the default seems to be false although I can't find it mentioned in the manpage).

I have another question, since I don't understand it and it is related. What are the benefits of enabling the nix daemon? I have not noticed a difference with it off. Is this mostly for e.g. Hydra builders and is there anything I should know?

Thank you in advance.

darwin-rebuild_switch.txt
darwin-configuration.nix.txt

[purcell]

I hit what I think is this issue too, leaving me unable to darwin-rebuild switch, and it looks like I have been able to get around it by changing ownership of /nix/var: sudo chown -R root:1 /nix/var

Also need to add yourself to the trustedUsers list.

[LnL7]

The permission changes are expected, with a single user install everything is owned by and runs as your local user. A daemon installation has 2 main differences.

• The store is owned by root and only managed by the daemon, your user won't have direct permissions anymore and the nix client will have to connect through the daemon to perform operations.
• Builds don't run as the user which owns the store anymore (that would be root now!), instead each build runs as a separate unprivileged user (nixbld1, ...). This means builds are more isolated, a malicious build won't have permissions to read your home even without sandboxing enabled.

While nix-darwin makes it easier to upgrade an existing nix installation to use the daemon, it won't handle everything. Changing ownership of the entire store during activation would take a very long time and isn't very atomic. I think what happened in this case is that because you changed the permissions of both /nix/store as well as /nix/var/nix/db the nix client isn't trying to connect to the daemon resulting in it fighting with the daemon over permissions. There is supposed to be a sanity check for this but I guess it didn't cover this specific case. Something among these lines would be the expected permissions.

chown -R root:nixbld /nix
chmod 1777 /nix/var/nix/profiles/per-user
chown -R $USER:staff /nix/var/nix/profiles/per-user/$USER
mkdir -m 1777 -p /nix/var/nix/gcroots/per-user
chown -R $USER:staff /nix/var/nix/gcroots/per-user/$USER

Also need to add yourself to the trustedUsers list.

You don't have to, nixos doesn't have this by default either. That just means privileged nix operations must be run explicitly with sudo.

[purcell]

You don't have to, nixos doesn't have this by default either. That just means privileged nix operations must be run explicitly with sudo.

Good to know, and thanks for the very complete clarification re. the permissions.

[WhatisRT]

I'm using a multi-user installation of nix, which forbids me from disabling the deamon as mentioned in the first post. This means I'm currently having to run chown -R root:nixbld /nix every time I run darwin-rebuild switch, which is of course really annoying. Is there any workaround or fix for that situation?

[LnL7]

What you describe is the opposite behaviour which sounds pretty weird, if the store is owned by root nothing should be able to just change it back to your local user.