Discussion about the use of `sudo` and `--use-remote-sudo` with `nixos-rebuild` (`switch`)

[Andrew15-5]

This is closely related to #342338. Also see #342657.

Here we can discuss is sudo or --use-remote-sudo should be used with nixos-rebuild switch.

Context that triggered this issue:
https://matrix.to/#/#users:nixos.org
https://matrix.to/#/!RRerllqmbATpmbJgCn:nixos.org/$kiwUm4NtvAMvswl0Wg12Dm5upHprhzf86vHemMNrxQk
https://nixos.org/manual/nixos/stable/#sec-changing-config

TL;DR is that Emily isn't fully convinced that sudo should be avoided and --use-remote-sudo used instead. Another point that was mentioned is that the activation script probably has some stuff that does not require root and other stuff that does. So perhaps the "attack vector" can be further reduced by only using root for those stuff that actually require it. Though I'm not really aware of what polkit actually is, so I can't really comment on this one.

CC @emilazy @SigmaSquadron @Aleksanaa @cafkafk

[eclairevoyant]

--use-remote-sudo only escalates for activation. As long as it works correctly, that's the ideal scenario. The only thing I'm not sure is if it works well with --upgrade/--upgrade-all for root's channels.

As for the flag's name, sure the name could be improved, especially as we now have nixos-rebuild-ng which doesn't have to make the mistakes of the current nixos-rebuild.

Also the matrix chat isn't publicly accessible, can you point out the relevant bits here?

[Andrew15-5]

I've added a link to the room. Also since you've mentioned channels, I'll say that I only discussed it from the flake perspective, though maybe it doesn't matter.

[emilazy]

@eclairevoyant The context is that the NixOS manual currently recommends --use-remote-sudo for local activation for what I consider to be dubious reasons and I think we should probably undo that change.

(I think the Matrix room logs are meant to be public?)

[Andrew15-5]

I'm not sure what is going on with Matrix, but this is not the first time someone can't see messages unless they are joined the room beforehand. Also added the link to the manual.

[SigmaSquadron]

This was fixed with nixos-rebuild-ng.

[SigmaSquadron]

Apologies, it was this other very similar issue that was fixed by nixos-rebuild-ng's deprecation of --use-remote-sudo

[elbasel-404]

Where is the matrix link??
@SigmaSquadron

[SigmaSquadron]

@elbasel42: I don't know what you're asking. There are relevant links on the original issue post pointing to some scattered discussions about --use-remote-sudo.

[thiagokokada]

The context is that the NixOS manual currently recommends --use-remote-sudo for local activation for what I consider to be dubious reasons and I think we should probably undo that change.

Yes please, let's revert. I am confident that --sudo/--use-remote-sudo works for Flake-based systems since there is no confusion between "root and current user", but I am not completely sure that it works correctly for channel based systems.

There is the --upgrade/--upgrade-all flag like @eclairevoyant cited, but also during the derivation build I think it will not work correctly since it will run nix-build '<nixpkgs/nixos>' --attr config.system.build.toplevel as the current user instead of root, and I am pretty sure this is not what we want. Even if those 2 cases are fixed, what we do for --target-host?

Also using --use-remote-sudo for local derivations is silly. Both nixos-rebuild and nixos-rebuild-ng supports --sudo now (nixos-rebuild-ng even warns if --use-remote-sudo is used).

[thiagokokada]

but also during the derivation build I think it will not work correctly since it will run nix-build '<nixpkgs/nixos>' --attr config.system.build.toplevel

Huh... I set up a VM and this seems to work even if the user has no channels. Can anyone confirm to me that if the channel is not found in the current user it looks at the root channels instead?

Edit: forgot about NIX_PATH 🤦. Nevermind what I said above.