Nixpkgs: /dev/fuse permissions are too restrictive

Created on 14 Sep 2019 · 9Comments · Source: NixOS/nixpkgs

Describe the bug
/dev/fuse isn't user read/writable

To Reproduce

$ ls -l /dev/fuse
crw------- 1 root root 10, 229 Sep 15  2019 /dev/fuse

Expected behavior

$ ls -l /dev/fuse
crw-rw-rw- 1 root root 10, 229 Sep 12 23:25 /dev/fuse

Additional context
I've been testing with git bisect and nixos-rebuild build-vm:

$ git bisect log
git bisect start
# good: [42607bb05904dbd05895cc584401a714ca71a3f3] vim: 8.1.1547 -> 8.1.1967 (#68011)
git bisect good 42607bb05904dbd05895cc584401a714ca71a3f3
# good: [42607bb05904dbd05895cc584401a714ca71a3f3] vim: 8.1.1547 -> 8.1.1967 (#68011)
git bisect good 42607bb05904dbd05895cc584401a714ca71a3f3
# bad: [4e2f3e0c944964c910c890782a77ae428043dd64] nut: fix broken build
git bisect bad 4e2f3e0c944964c910c890782a77ae428043dd64
# good: [07fa0411403ac3e0aefed5de78541f639488baec] Merge pull request #68208 from adisbladis/elk-bumps
git bisect good 07fa0411403ac3e0aefed5de78541f639488baec
# good: [47caef475f8102f165356130fb36e87a11b43171] Merge master into staging-next
git bisect good 47caef475f8102f165356130fb36e87a11b43171
# bad: [9d8e16173d03e611da452b890d5ea7fae54d700f] doc/gnome: explain glib passthru functions
git bisect bad 9d8e16173d03e611da452b890d5ea7fae54d700f
# bad: [e3f25191c4af029ed071d6ad06547473edb35148] Merge staging-next into staging
git bisect bad e3f25191c4af029ed071d6ad06547473edb35148
# good: [59d65e23e1656344e3fc063e0e5dd3fbfe9a332f] Merge pull request #68258 from teto/luarocks-nix_bump
git bisect good 59d65e23e1656344e3fc063e0e5dd3fbfe9a332f
# bad: [4b929acf6739c1a60616f2a1edaf513b8e3dcc84] Merge staging-next into staging
git bisect bad 4b929acf6739c1a60616f2a1edaf513b8e3dcc84
# skip: [2b605e96c289b5f43fc31f3c177d6622a2767142] nixos/networkd: continue supporting 99-main with wildcard interface match
git bisect skip 2b605e96c289b5f43fc31f3c177d6622a2767142
# good: [ee1b8e4c7b9134dd8ae18d3476dff1691de20d0f] python2.pkgs.wxPython: fix build
git bisect good ee1b8e4c7b9134dd8ae18d3476dff1691de20d0f
# skip: [bcea6dfe2e2e5b7b6af62faf3b917a0a1746b499] python: numpy: 1.17.1 -> 1.17.2
git bisect skip bcea6dfe2e2e5b7b6af62faf3b917a0a1746b499
# skip: [02e83699bb5dde26c326d4e2ce6a5d91e6345916] Merge pull request #68096 from andir/systemd-v243
git bisect skip 02e83699bb5dde26c326d4e2ce6a5d91e6345916
# skip: [d9b1256f9328e43aacf741ca5b8887ffbe578a21] systemd: 242 -> 243
git bisect skip d9b1256f9328e43aacf741ca5b8887ffbe578a21
# skip: [9c06aae94ad42aba50c7ff3c503ddcb362f4a80e] systemd: add myself as maintainer
git bisect skip 9c06aae94ad42aba50c7ff3c503ddcb362f4a80e
# skip: [27f10869e295983b6551f26dcc7fc0928871846d] taglib: fix ogg file corruption (#68088)
git bisect skip 27f10869e295983b6551f26dcc7fc0928871846d
# good: [35bcacc22632ff8424241aca0da055eb5e72cd99] linux-kernel: HID_BATTERY_STRENGTH=yes
git bisect good 35bcacc22632ff8424241aca0da055eb5e72cd99
# skip: [f59b4cb8d545d3bb1bd954f9e3267cb7ebec3557] nixos/tests/login: fix the seat test by loading sound drivers
git bisect skip f59b4cb8d545d3bb1bd954f9e3267cb7ebec3557
# skip: [be2dc6bbcec0ecb8d0c8d61b58e6663b219fa0f7] Merge branch 'staging-next' into staging
git bisect skip be2dc6bbcec0ecb8d0c8d61b58e6663b219fa0f7
# skip: [4241a7f1b8513cf62aa1e26cb5525069238c9386] Merge pull request #68149 from colemickens/nixpkgs-bt-power
git bisect skip 4241a7f1b8513cf62aa1e26cb5525069238c9386
# skip: [60db597e86e289ef61dcac551060f571fb366f8e] Merge staging-next into staging
git bisect skip 60db597e86e289ef61dcac551060f571fb366f8e
# bad: [7e912475961c791737f545eeaa3b898b1224a94b] Merge branch 'staging-next' into staging
git bisect bad 7e912475961c791737f545eeaa3b898b1224a94b
# only skipped commits left to test
# possible first bad commit: [7e912475961c791737f545eeaa3b898b1224a94b] Merge branch 'staging-next' into staging
# possible first bad commit: [02e83699bb5dde26c326d4e2ce6a5d91e6345916] Merge pull request #68096 from andir/systemd-v243
# possible first bad commit: [9c06aae94ad42aba50c7ff3c503ddcb362f4a80e] systemd: add myself as maintainer
# possible first bad commit: [f59b4cb8d545d3bb1bd954f9e3267cb7ebec3557] nixos/tests/login: fix the seat test by loading sound drivers
# possible first bad commit: [2b605e96c289b5f43fc31f3c177d6622a2767142] nixos/networkd: continue supporting 99-main with wildcard interface match
# possible first bad commit: [d9b1256f9328e43aacf741ca5b8887ffbe578a21] systemd: 242 -> 243
# possible first bad commit: [bcea6dfe2e2e5b7b6af62faf3b917a0a1746b499] python: numpy: 1.17.1 -> 1.17.2
# possible first bad commit: [27f10869e295983b6551f26dcc7fc0928871846d] taglib: fix ogg file corruption (#68088)
# possible first bad commit: [4241a7f1b8513cf62aa1e26cb5525069238c9386] Merge pull request #68149 from colemickens/nixpkgs-bt-power
# possible first bad commit: [be2dc6bbcec0ecb8d0c8d61b58e6663b219fa0f7] Merge branch 'staging-next' into staging
# possible first bad commit: [60db597e86e289ef61dcac551060f571fb366f8e] Merge staging-next into staging

Metadata
Please run nix run nixpkgs.nix-info -c nix-info -m and paste the result.

system: "x86_64-linux"
host os: Linux 4.19.71, NixOS, 19.09beta142.54ad3625cf8 (Loris)
multi-user?: yes
sandbox: yes
version: nix-env (Nix) 2.3
channels(root): "nixos-19.09beta142.54ad3625cf8"
nixpkgs: /nix/var/nix/profiles/per-user/root/channels/nixos

Maintainer information:

# a list of nixpkgs attributes affected by the problem
attribute:
# a list of nixos modules affected by the problem
module:

bug regression blocker nixos

Source

mat8913

Most helpful comment

There are even more tmpfiles configs that we're not using. I'll check what applies to us and prepare a PR.

fpletz on 14 Sep 2019

❤4

All 9 comments

After further testing, I found that reverting d9b1256f9328e43aacf741ca5b8887ffbe578a21 fixes the issue. I'm guessing that this new file https://github.com/systemd/systemd/blob/master/tmpfiles.d/static-nodes-permissions.conf.in needs to be installed somewhere.

CCing maintainers of systemd: @edolstra @andir

mat8913 on 14 Sep 2019

👍4

There are even more tmpfiles configs that we're not using. I'll check what applies to us and prepare a PR.

fpletz on 14 Sep 2019

❤4

It would be cool if there was a test for the permissions.

eraserhd on 22 Sep 2019

👍1

I have the same issue with /dev/fuse for pkgs.sshfs can't mount remote sshfs as user only as root
la /dev/fuse 10.6s
crw------- 1 root root 10, 229 Sep 23 14:36 /dev/fuse
~> sshfs [email protected]:/ ~/sshfs/
fuse: failed to open /dev/fuse: Permission denied

Any fix we can expect soon?

mudrii on 23 Sep 2019

Seems permissions is associated with systemd
/etc/static/systemd/system/kmod-static-nodes.service

kmod static-nodes --format=tmpfiles --output=/run/tmpfiles.d/static-nodes.conf

cat /run/tmpfiles.d/static-nodes.conf                                                                                            146ms
c! /dev/autofs 0600 - - - 10:235
c! /dev/fuse 0600 - - - 10:229
c! /dev/cuse 0600 - - - 10:203
c! /dev/btrfs-control 0600 - - - 10:234
c! /dev/nvram 0600 - - - 10:144
c! /dev/loop-control 0600 - - - 10:237
d /dev/net 0755 - - -
c! /dev/net/tun 0600 - - - 10:200
c! /dev/ppp 0600 - - - 108:0
c! /dev/uinput 0600 - - - 10:223
d /dev/mapper 0755 - - -
c! /dev/mapper/control 0600 - - - 10:236
d /dev/vfio 0755 - - -
c! /dev/vfio/vfio 0600 - - - 10:196
c! /dev/userio 0600 - - - 10:240
c! /dev/vhci 0600 - - - 10:137
c! /dev/uhid 0600 - - - 10:239
c! /dev/vhost-net 0600 - - - 10:238
c! /dev/vhost-vsock 0600 - - - 10:241
d /dev/snd 0755 - - -
c! /dev/snd/timer 0600 - - - 116:33
d /dev/snd 0755 - - -
c! /dev/snd/seq 0600 - - - 116:1

mudrii on 23 Sep 2019

apparently that https://github.com/NixOS/nixpkgs/commit/d9b1256f9328e43aacf741ca5b8887ffbe578a21 broke /dev/snd/seq permissions for me, which are needed for jack-session.service https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/audio/jack.nix#L261

gnidorah on 23 Sep 2019

Strangely, on my 19.09 system /dev/fuse does have 666 permission, despite /run/tmpfiles.d/static-nodes.conf containing a line c! /dev/fuse 0600 - - - 10:229.