00:01
_ris has joined #nixos-dev
00:03
ris has quit [Ping timeout: 246 seconds]
00:08
orivej has quit [Ping timeout: 264 seconds]
00:32
tilpner_ has joined #nixos-dev
00:35
tilpner has quit [Ping timeout: 240 seconds]
00:35
tilpner_ is now known as tilpner
00:50
ivan has joined #nixos-dev
01:06
abathur has quit [Quit: abathur]
01:10
_ris has quit [Read error: Connection reset by peer]
01:10
_ris has joined #nixos-dev
01:11
rajivr has joined #nixos-dev
01:49
andi- has quit [Ping timeout: 272 seconds]
01:52
andi- has joined #nixos-dev
02:23
_ris has quit [Ping timeout: 246 seconds]
02:31
_ris has joined #nixos-dev
03:08
LnL has quit [Ping timeout: 260 seconds]
03:09
LnL has joined #nixos-dev
03:09
LnL has quit [Changing host]
03:09
LnL has joined #nixos-dev
03:13
drakonis has quit [Quit: WeeChat 2.8]
03:26
_ris has quit [Ping timeout: 246 seconds]
03:42
_ris has joined #nixos-dev
04:54
orivej has joined #nixos-dev
04:59
MichaelRaskin has quit [Quit: MichaelRaskin]
05:02
orivej has quit [Ping timeout: 240 seconds]
05:03
orivej has joined #nixos-dev
05:04
cole-h has quit [Quit: Goodbye]
05:25
orivej has quit [Ping timeout: 246 seconds]
05:25
orivej has joined #nixos-dev
05:33
phreedom has quit [Remote host closed the connection]
05:33
<
{^_^} >
#91141 (by ivan, 2 days ago, open): grab-site: 2.1.16 -> 2.1.19
05:34
phreedom has joined #nixos-dev
05:47
orivej has quit [Ping timeout: 240 seconds]
05:48
orivej has joined #nixos-dev
06:15
orivej has quit [Ping timeout: 240 seconds]
06:16
orivej has joined #nixos-dev
06:20
abbe has quit [Quit: “Everytime that we are together, it's always estatically palpitating!”]
06:21
abbe has joined #nixos-dev
06:31
orivej has quit [Quit: No Ping reply in 180 seconds.]
06:32
orivej has joined #nixos-dev
06:43
orivej has quit [Ping timeout: 258 seconds]
06:55
Gaelan has joined #nixos-dev
07:19
FRidh has joined #nixos-dev
08:15
alp has joined #nixos-dev
08:48
orivej has joined #nixos-dev
08:59
orivej_ has joined #nixos-dev
09:01
orivej has quit [Ping timeout: 256 seconds]
09:04
alp has quit [Ping timeout: 272 seconds]
09:14
alp has joined #nixos-dev
09:45 __monty__ has joined #nixos-dev
10:03
urkk has joined #nixos-dev
10:04
<
urkk >
can nix-daemon run as a non-privileged user?
10:05
<
urkk >
doing some tests with systemd unit, but fails because it tries to chmod("/nix/var/nix/profiles/per-user/ram", 0755), but is already properly set
10:05
<
niksnut >
well, strictly speaking it probably can but it wouldn't be useful
10:07
<
niksnut >
we're actually running it as non-root in the nix test suite
10:07
<
urkk >
our sysadmins fear root daemons
10:07
<
urkk >
under nix/tests?
10:11
<
urkk >
the `unshare --user true` works as non-root, so I was wondering what other capabilities were needed if any
10:14
<
niksnut >
for the daemon to be useful, it needs to be able to do run builds under different uids
10:14
<
niksnut >
in theory it could run as root in a uid namespace
10:16
orivej_ has quit [Read error: Connection reset by peer]
10:17
<
urkk >
seems feasible
10:17
orivej has joined #nixos-dev
10:27
orivej has quit [Ping timeout: 240 seconds]
10:29
<
NinjaTrappeur >
niksnut: could we leverage linux's CAP_SETUID for that?
10:32
<
niksnut >
probably, but on NixOS at least it would be pointless
10:32
<
niksnut >
since if you have write access to the nix store, it's trivial to escalate privilege
10:38
<
NinjaTrappeur >
aha, good point
10:44
kiwiirc has joined #nixos-dev
10:56
alp has quit [Ping timeout: 246 seconds]
11:06
gilligan has joined #nixos-dev
11:23
alp has joined #nixos-dev
11:32
orivej has joined #nixos-dev
11:51
<
{^_^} >
nixos-weekly#120 (by domenkozar, 3 weeks ago, open): Call for Content: 2020/06
11:58
orivej_ has joined #nixos-dev
12:01
orivej has quit [Ping timeout: 256 seconds]
12:07
orivej has joined #nixos-dev
12:08
orivej_ has quit [Ping timeout: 240 seconds]
12:17
orivej has quit [Quit: No Ping reply in 180 seconds.]
12:19
orivej has joined #nixos-dev
12:45
orivej has quit [Ping timeout: 264 seconds]
12:45
orivej has joined #nixos-dev
12:46
<
kiwiirc >
ty for nixos weekly link
12:53
orivej has quit [Quit: No Ping reply in 180 seconds.]
12:54
orivej has joined #nixos-dev
13:07
orivej has quit [Quit: No Ping reply in 180 seconds.]
13:09
orivej has joined #nixos-dev
13:17
orivej_ has joined #nixos-dev
13:17
orivej has quit [Ping timeout: 264 seconds]
13:28
orivej_ has quit [Quit: No Ping reply in 180 seconds.]
13:30
orivej has joined #nixos-dev
13:41
<
gchristensen >
heck yes!
13:47
adisbladi is now known as adisbladis
13:47
<
kiwiirc >
worldofpeace any interest in each release post like that linking to the prior release post?
13:48
<
worldofpeace >
kiwiirc: do you mean linking to the prior post about who's 20.03 rm (aka me) ?
13:50
<
kiwiirc >
oh sorry i thought this was a new version release, just read the post :)
13:50
<
worldofpeace >
lol, it isn't 20.09 time (yet)
13:54
orivej has quit [Ping timeout: 256 seconds]
13:54
orivej has joined #nixos-dev
14:07
rajivr has quit [Quit: Connection closed for inactivity]
14:14
orivej has quit [Quit: No Ping reply in 180 seconds.]
14:15
orivej has joined #nixos-dev
14:25
orivej has quit [Quit: No Ping reply in 180 seconds.]
14:26
orivej has joined #nixos-dev
14:35
orivej has quit [Quit: No Ping reply in 180 seconds.]
14:38
orivej has joined #nixos-dev
14:47
orivej_ has joined #nixos-dev
14:49
orivej has quit [Ping timeout: 240 seconds]
15:09
orivej_ has quit [Ping timeout: 260 seconds]
15:09
orivej has joined #nixos-dev
15:21
orivej has quit [Ping timeout: 256 seconds]
15:21
orivej has joined #nixos-dev
15:24
ckauhaus has joined #nixos-dev
15:45
orivej has quit [Ping timeout: 246 seconds]
15:46
orivej has joined #nixos-dev
15:58
justanotheruser has quit [Ping timeout: 272 seconds]
16:02
alp has quit [Ping timeout: 272 seconds]
16:02
alp_ has joined #nixos-dev
16:02
orivej has quit [Quit: No Ping reply in 180 seconds.]
16:03
orivej has joined #nixos-dev
16:13
drakonis has joined #nixos-dev
16:13
justanotheruser has joined #nixos-dev
16:14
orivej has quit [Quit: No Ping reply in 180 seconds.]
16:14
orivej has joined #nixos-dev
16:23
abathur has joined #nixos-dev
16:37
orivej has quit [Read error: Connection reset by peer]
16:37
orivej_ has joined #nixos-dev
16:38
<
Mic92 >
urkk: I think it might bet needed to have set build users
16:39
<
Mic92 >
ah, was already said before.
16:46
abathur has quit [Ping timeout: 240 seconds]
16:46
cole-h has joined #nixos-dev
16:54
orivej_ has quit [Ping timeout: 265 seconds]
16:54
orivej has joined #nixos-dev
17:02
abathur has joined #nixos-dev
17:13
orivej has quit [Ping timeout: 260 seconds]
17:14
orivej_ has joined #nixos-dev
17:24
orivej_ has quit [Ping timeout: 260 seconds]
17:25
orivej has joined #nixos-dev
17:29
lopsided98 has left #nixos-dev [#nixos-dev]
17:33
orivej has quit [Ping timeout: 265 seconds]
17:33
orivej has joined #nixos-dev
17:40
lopsided98 has joined #nixos-dev
17:46
_ris is now known as ris
17:48
orivej_ has joined #nixos-dev
17:50
orivej has quit [Ping timeout: 256 seconds]
17:52
bennofs has joined #nixos-dev
17:52
drakonis has quit [Quit: WeeChat 2.8]
17:55
bennofs_ has quit [Ping timeout: 246 seconds]
17:57
orivej_ has quit [Ping timeout: 256 seconds]
17:58
orivej has joined #nixos-dev
18:15
orivej has quit [Quit: No Ping reply in 180 seconds.]
18:16
orivej has joined #nixos-dev
18:26
orivej has quit [Quit: No Ping reply in 180 seconds.]
18:26
orivej has joined #nixos-dev
18:35
drakonis_ has joined #nixos-dev
18:47
orivej has quit [Ping timeout: 260 seconds]
18:47
orivej has joined #nixos-dev
18:56
<
urkk >
I'm testing running the daemon with root but limiting the capabilities to: CAP_CHOWN CAP_FOWNER CAP_SETUID
18:58
<
urkk >
As well as ProtectSystem=full, ProtectHome=yes and PrivateDevices=true
18:58
<
gchristensen >
oh cool
18:59
<
urkk >
Removing the capabilities restriction works
19:03
orivej has quit [Quit: No Ping reply in 180 seconds.]
19:04
<
symphorien >
won't PrivateDevices prevent usage of kvm?
19:05
orivej has joined #nixos-dev
19:10
<
NinjaTrappeur >
urkk: nice!
19:10
<
urkk >
So this works: [pid 14863] openat(AT_FDCWD, "/dev/ptmx", O_RDWR|O_NOCTTY) = 12
19:11
drakonis has joined #nixos-dev
19:11
<
urkk >
But this should fail (?): [pid 14863] chmod("/dev/pts/6", 0600) = 0
19:13
drakonis_ has quit [Ping timeout: 240 seconds]
19:23
FRidh has quit [Ping timeout: 260 seconds]
19:23
<
sphalerite >
how long is the latency between a new release of some package coming out and nixpkgs-update/r-ryantm making the bump PR?
19:23
<
sphalerite >
typically*
19:23
FRidh has joined #nixos-dev
19:24
<
cole-h >
Isn't it tied to around when repology.org updates the version?
19:25
<
samueldr >
which in turn, depends on other distros doing the same
19:25
<
samueldr >
I'd say it varies wildly
19:25
orivej has quit [Quit: No Ping reply in 180 seconds.]
19:25
<
samueldr >
when I was still maintaining a package sometimes it was the day of, sometimes it didn't seem to happen
19:26
<
samueldr >
a particular package*
19:26
orivej has joined #nixos-dev
19:27
<
sphalerite >
symphorien: sure, but it can be allow-listed using a bind mount
19:27
<
sphalerite >
cole-h samueldr: it also gets info from github releases nowadays
19:28
<
sphalerite >
and pypi
19:28
<
cole-h >
Huh, cool. Now, how often that happens is the question :P
19:28
<
sphalerite >
yep. I guess ryantm is the person best equipped to tell us that :D
19:29
<
samueldr >
I guess it must depend on where in the cycle of checking it is :)
19:29
alp_ has quit [Ping timeout: 260 seconds]
19:32
<
NinjaTrappeur >
urkk: Did you try setting CAP_SYS_TTY_CONFIG ?
19:33
<
urkk >
NinjaTrappeur yes
19:34
<
NinjaTrappeur >
I do not see any capability around openpt :(
19:36
<
NinjaTrappeur >
hmm, could you push your wip somewhere? I'm interested, I'd like to have a look as well.
19:39
<
urkk >
NinjaTrappeur sure
19:40
FRidh has quit [Quit: Konversation terminated!]
19:40
<
urkk >
I was looking for the impl of posix_openpt, from strace looks like it only opens /dev/ptmx
19:42
<
NinjaTrappeur >
yes. I'm not sure how familiar you are with pseudo terminals, but I surely wasn't familiar at all with those 30 minutes ago, these two pages helped a lot:
19:43
<
NinjaTrappeur >
ptmx is the one providing you with a new ptm/pts couple.
19:43
<
NinjaTrappeur >
So it kinda make sense :)
19:43
<
NinjaTrappeur >
I still don't get the permission issue from your trace though :/
19:46
orivej has quit [Ping timeout: 256 seconds]
19:46
orivej has joined #nixos-dev
19:48
<
urkk >
NinjaTrappeur do you success to run nix-env with this hardening?
19:48
<
urkk >
Note: I'm using the last release not master
19:49
<
urkk >
Now it fails at the start: [pid 3768818] openat(AT_FDCWD, "/dev/ptmx", O_RDWR|O_NOCTTY) = -1 EACCES (Permission denied)
19:54
alp_ has joined #nixos-dev
20:00
<
urkk >
The is a cap (set bit) from CapBnd: 0000003ff7ffffff to CapBnd: 0000000005220089 that makes it fail
20:01
<
urkk >
I will continue tomorrow and see if I find which one it is :-)
20:06
drakonis1 has joined #nixos-dev
20:07
<
urkk >
CAP_DAC_OVERRIDE! ofc it ignores the 000 perm of /dev/ptmx
20:09
drakonis has quit [Ping timeout: 272 seconds]
20:09
drakonis_ has joined #nixos-dev
20:11
drakonis_ has quit [Read error: No route to host]
20:11
drakonis1 has quit [Ping timeout: 240 seconds]
20:15
drakonis has joined #nixos-dev
20:15
<
urkk >
With ProtectHome=yes recompiles everything, but with ProtectHome=read-only works ok
20:18
drakonis_ has joined #nixos-dev
20:20
drakonis has quit [Ping timeout: 260 seconds]
20:31
evanjs has quit [Read error: Connection reset by peer]
20:31
evanjs has joined #nixos-dev
20:33
orivej has quit [Ping timeout: 265 seconds]
20:33
orivej has joined #nixos-dev
20:38
ckauhaus has quit [Quit: WeeChat 2.7.1]
20:44
drakonis has joined #nixos-dev
20:53
drakonis_ has quit [Ping timeout: 240 seconds]
21:00
orivej has quit [Quit: No Ping reply in 180 seconds.]
21:01
orivej has joined #nixos-dev
21:13
alp_ has quit [Ping timeout: 272 seconds]
21:23
orivej has quit [Quit: No Ping reply in 180 seconds.]
21:24
sdier[m] has joined #nixos-dev
21:24
orivej has joined #nixos-dev
21:32
orivej has quit [Ping timeout: 260 seconds]
21:32
orivej has joined #nixos-dev
21:40
orivej has quit [Ping timeout: 246 seconds]
21:41
orivej has joined #nixos-dev
21:49
orivej has quit [Ping timeout: 260 seconds]
21:50
orivej has joined #nixos-dev
21:57
alp_ has joined #nixos-dev
22:04
justanotheruser has quit [Ping timeout: 264 seconds]
22:08
drakonis_ has joined #nixos-dev
22:13
orivej has quit [Quit: No Ping reply in 180 seconds.]
22:14
orivej has joined #nixos-dev
22:26
justanotheruser has joined #nixos-dev
22:27 __monty__ has quit [Quit: leaving]
22:44
orivej has quit [Quit: No Ping reply in 210 seconds.]
22:45
orivej has joined #nixos-dev
22:54
orivej has quit [Ping timeout: 260 seconds]
22:54
orivej_ has joined #nixos-dev
23:11
orivej_ has quit [Ping timeout: 258 seconds]
23:26
alp_ has quit [Ping timeout: 272 seconds]