From 33846d2ac68cf3b4e39c865120f0d8cea717b7e2 Mon Sep 17 00:00:00 2001 From: Kabir Oberai Date: Sun, 10 Nov 2024 00:40:38 -0500 Subject: [PATCH] Revert to 6f391da544cc36cfda910a2a82f722eb5594c64c turns out environment propagation is hard --- pkgs/nix-tools/darwin-rebuild.sh | 56 +++++++++++++++----------------- 1 file changed, 27 insertions(+), 29 deletions(-) diff --git a/pkgs/nix-tools/darwin-rebuild.sh b/pkgs/nix-tools/darwin-rebuild.sh index 037d0d6f..a517258a 100644 --- a/pkgs/nix-tools/darwin-rebuild.sh +++ b/pkgs/nix-tools/darwin-rebuild.sh @@ -26,11 +26,13 @@ showSyntax() { if command sudo --help | grep -- --preserve-env= >/dev/null; then # We use `env` before our command to ensure the preserved PATH gets checked # when trying to resolve the command to execute - sudo="command sudo -H --preserve-env=PATH --preserve-env=SSH_CONNECTION" + sudo_base="command sudo -H --preserve-env=PATH --preserve-env=SSH_CONNECTION" + sudo="$sudo_base env" else - sudo="command sudo -H" + sudo_base="command sudo -H" + sudo="$sudo_base" fi -sudo() { $sudo env "$@"; } +sudo() { $sudo "$@"; } # Parse the command line. origArgs=("$@") @@ -146,28 +148,6 @@ done if [ -z "$action" ]; then showSyntax; fi -# We currently need to invoke `activate-user` as a non-root user, -# but need to be root for other actions such as switching profiles and -# running `activate`. To avoid prompting for a password multiple times, -# if we need to perform one of these actions we preemptively re-invoke -# ourselves as root but remember the user who called us so that we can -# later drop down to that user when invoking `activate-user`. -if [ "$USER" = root ]; then - if [[ -z "$NIX_DARWIN_PRIMARY_USER" ]]; then - echo "$0: must be invoked as a non-root user" - exit 1 - fi -else - case $action in - edit|switch|activate|rollback|list) - sudo NIX_DARWIN_PRIMARY_USER="$USER" @out@/bin/darwin-rebuild "${origArgs[@]}" - exit $? - ;; - esac -fi - -# From here on, if we are in the case list above, we are running as root. - flakeFlags=(--extra-experimental-features 'nix-command flakes') # Use /etc/nix-darwin/flake.nix if it exists. It can be a symlink to the @@ -219,7 +199,11 @@ if [ "$action" = switch ] || [ "$action" = build ] || [ "$action" = check ] || [ fi if [ "$action" = list ] || [ "$action" = rollback ]; then - nix-env -p "$profile" "${extraProfileFlags[@]}" + if [ "$USER" != root ] && [ ! -w $(dirname "$profile") ]; then + sudo nix-env -p "$profile" "${extraProfileFlags[@]}" + else + nix-env -p "$profile" "${extraProfileFlags[@]}" + fi fi if [ "$action" = rollback ]; then @@ -233,12 +217,26 @@ fi if [ -z "$systemConfig" ]; then exit 0; fi if [ "$action" = switch ]; then - nix-env -p "$profile" --set "$systemConfig" + if [ "$USER" != root ] && [ ! -w $(dirname "$profile") ]; then + sudo nix-env -p "$profile" --set "$systemConfig" + else + nix-env -p "$profile" --set "$systemConfig" + fi fi if [ "$action" = switch ] || [ "$action" = activate ] || [ "$action" = rollback ]; then - $sudo -u "$NIX_DARWIN_PRIMARY_USER" "$systemConfig/activate-user" - "$systemConfig/activate" + if [ "$USER" != root ]; then + # Running `$systemConfig/activate-user` may cause subsequent sudo invocations to prompt + # for the password even if we previously ran sudo in the same session, since `brew` resets + # the sudo timestamp: see https://github.com/Homebrew/brew/pull/17694. + # Indeed, by this point we've already run `nix-env --set` as sudo. So to avoid prompting a + # second time, we become root *before* running activate-user and then drop down to the user + # to invoke it. This way, the call to `activate` doesn't require a password. + sudo @shell@ -c "$sudo_base -u $USER $systemConfig/activate-user && $systemConfig/activate" + else + "$systemConfig/activate-user" + "$systemConfig/activate" + fi fi if [ "$action" = changelog ]; then