nixos-rebuild-ng: run upgrade_channels with sudo

[thiagokokada]

Fix #424749.

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
  • sandbox = relaxed
  • sandbox = true
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• Nixpkgs 25.11 Release Notes (or backporting 25.05 Nixpkgs Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
• NixOS 25.11 Release Notes (or backporting 25.05 NixOS Release notes)
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md, pkgs/README.md, maintainers/README.md and other contributing documentation in corresponding paths.

---

Add a 👍 reaction to pull requests you find important.

[thiagokokada]

CC @name-snrl to testing.

[name-snrl]

Works for me. But I'm not sure if this problem should be solved in this way. I see 3 possible solutions:

1. Current, where --upgrade respects --sudo. But in cases when user will run nixos-rebuild without --sudo and not as root, it will silently upgrade nixos user channel. And This behavior is not obvious to the user, because, as I mentioned in issue, the manual says: Update the root user's channel named ‘nixos’ before rebuilding the system.
2. Deprecate --upgrade(-all) options.
3. When user pass --upgrade(-all) flag we check whether the user is root or the command is run with --sudo flag. If neither is true, we throw an error, like: If you pass the --upgrade or --upgrade-all flag, you must also pass --sudo or run the command as root (e.g., with sudo).

wdyt @thiagokokada ?

[name-snrl]

it will silently upgrade nixos user channel

Oh, no, it doesn't. I see, it only loops over /nix/var/nix/profiles/per-user/root/channels/

---

edit: another "oh". I thought /nix/var/nix/profiles/per-user/root/channels/ isn't world-readable, but it's just symlinks on /nix/store:

> ls -la /nix/var/nix/profiles/per-user/root/channels
lrwxrwxrwx - root root  1 Jan  1970 nixos -> /nix/store/7wfpz53k2lsa62wg42dg54li0rzkjwrw-nixos/nixos
lrwxrwxrwx - root root  1 Jan  1970 manifest.nix -> /nix/store/2m8whkhdd2y2lgjkxkhvwz207b46bd0w-env-manifest.nix

So, yes, is it correct: in cases when nixos-rebuild is run without --sudo and not as root - it would look at /nix/var/nix/profiles/per-user/root/channels/, but updates user's channels

[thiagokokada]

@name-snrl Ok, I added a check for --sudo/root. Can you review/test?

[name-snrl]

LGTM

[thiagokokada]

Works for me. But I'm not sure if this problem should be solved in this way. I see 3 possible solutions:

1. Current, where `--upgrade` respects `--sudo`. But in cases when user will run `nixos-rebuild` without `--sudo` and not as root, it will silently upgrade `nixos` user channel. And This behavior is not obvious to the user, because, as I mentioned in issue, the manual says: _Update the root user's channel named ‘nixos’ before rebuilding the system_.

2. Deprecate `--upgrade(-all)` options.

3. When user pass `--upgrade(-all)` flag we check whether the user is root or the command is run with `--sudo` flag. If neither is true, we throw an error, like: _If you pass the `--upgrade` or `--upgrade-all` flag, you must also pass `--sudo` or run the command as root (e.g., with sudo)._

Let me expand this a little. I think the current channel upgrade code is messy and maybe it shouldn't exist, so I would like to actually do 2, but I also think deprecating this option will cause headaches for channel users, so 3 is probably the quickest solution, this is why I decided to implement it.

[Frontear]

Looks like a good change. Since flakes vs channels is a forever limbo discussion, I don't think there's a need to outright deprecate this feature just yet. This is definitely a good way to handle it without any weird silent behaviors.

[nixpkgs-ci]

Successfully created backport PR for release-25.05:

• [Backport release-25.05] nixos-rebuild-ng: run upgrade_channels with sudo #424887