From c9f71974f8b7f277bae859a8c71289e92be7c49b Mon Sep 17 00:00:00 2001 From: Tuomas Tynkkynen Date: Sat, 16 Dec 2017 20:21:26 +0200 Subject: [PATCH] make-disk-image.nix: Remove write permissions from /nix/store Fakeroot seems to always give the owner write bit to any files touched inside it (presumably to easily simulate the fact that root can still modify such files). So do an explicit chmod to remove them. This should finally solve #32242 after the EC2 images are regenerated with this change. https://hydra.nixos.org/build/66143116 --- nixos/lib/make-disk-image.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/nixos/lib/make-disk-image.nix b/nixos/lib/make-disk-image.nix index d67ca0e527e..b12cf68fd36 100644 --- a/nixos/lib/make-disk-image.nix +++ b/nixos/lib/make-disk-image.nix @@ -129,6 +129,9 @@ let format' = format; in let # TODO: Nix really likes to chown things it creates to its current user... fakeroot nixos-prepare-root $root ${channelSources} ${config.system.build.toplevel} closure + # fakeroot seems to always give the owner write permissions, which we do not want + find $root/nix/store -mindepth 1 -maxdepth 1 -type f -o -type d -exec chmod -R a-w '{}' \; + echo "copying staging root to image..." cptofs ${optionalString partitioned "-P 1"} -t ${fsType} -i $diskImage $root/* / '';