Nixpkgs: sshd fails to start on 16.09: /var/emtpy must be owned by root and not group or world-writable

Following didn't help:

• chmod 400 /var/emtpy

Following did help:

• rm -f /var/empty & mkdir /var/empty

Deploying fresh 16.03 and 16.09 on top with sshd running doesn't yield this problem.

Maybe something created files in /var/emtpy?

Aha, here's what I have on my system:

$ ls /var/empty/ -la
total 4
dr-xr-xr-x 1 root root    8 Oct 31  2015 .
drwxr-xr-x 1 root root  136 Sep  4 18:58 ..
-rw------- 1 root root 1024 Oct 31  2015 .rnd

http://manpages.ubuntu.com/manpages/precise/en/man1/rand.1ssl.html:

 The rand command outputs num pseudo-random bytes after seeding the
       random number generator once.  As in other openssl command line tools,
       PRNG seeding uses the file $HOME/.rnd or .rnd in addition to the files
       given in the -rand option.  A new $HOME/.rnd or .rnd file will be
       written back if enough seeding was obtained from these sources.

Maybe some service has HOME=/var/empty set when it runs rand?

We could make /var/empty immutable to prevent this kind of problem.

Making it immutable seems like a good long-term permanent solution.

Not sure it was /var/empty/.rnd fault, I've tested on my machine and sshd starts regardless if I have /var/empty/a file.

Can't repro with

nix-build -E 'with import <nixpkgs/nixos> {
    configuration = {
      services.openssh.enable = true;
      users.extraUsers.root.initialHashedPassword = "";
      virtualisation.graphics = false;
    }
  }; vm' &&
./result/bin/run-nixos-vm

sshd starts fine in there. Am on 7c377f8.

Also starting the VM on release-16.03 on a clean filesystem, and then starting it again on 7c377f8 on the same filesystem doesn't seem to be a problem either.

I assume some service changed /var/empty, since it's the default directory for users.

This machine has been upgraded for a few NixOS stable releases, so it must be that it was writable at one time or changed by root.

I think making /var/empty immutable sounds correct, since this will pop up again.

Hmm, could this be a duplicate of https://github.com/NixOS/nixpkgs/issues/14910 ?

Only if createHome = true I guess?

Writting an assertion now to get cases when createHome = true and home = /var/empty.

Nothing sets that as of today, but let's make /var/empty immutable so this won't be able to happen in future.

https://github.com/NixOS/nixpkgs/pull/18365

There may very well be a million things I'm doing wrong, but this is just a friendly hint to let you know I had this break on me in the Riak package. Riak wants a user which does not specify a homedir, so /var/empty is used from what I understand. Riak's Erlang backend sets a ~/.erlang.cookie file, which location is impossible to change (I googled hard).

Rolling back won't fix my issue, as the old version does not contain code to revert this (e.g. chattr -i /var/empty). So instead I now added some Bash to revert this on my servers until I can think of a better way to fix this.

As said, just to let you know. I'm a newcomer to this, and very thankful for NixOS' existence and the hard work you're putting in. I'm also not contesting this particular change, it seems sounds.