52 lines
1.4 KiB
Markdown
52 lines
1.4 KiB
Markdown
|
### Migrate to a Newer Version of Nixpkgs
|
||
|
|
```bash
|
||
|
|
# Determine the channel name you're using
|
||
|
|
nix-channel --list
|
||
|
|
nix-channel --remove <OLD_CHANNEL>
|
||
|
|
nix-channel --add <NEW_CHANNEL> # ie https://nixos.org/channels/nixos-25.05
|
||
|
|
nix-channel --update
|
||
|
|
|
||
|
|
# Now upgrade system profile (log to file in case of failure)
|
||
|
|
nixos-rebuild boot --upgrade | tee rebuild.log
|
||
|
|
```
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
## Security Implications
|
||
|
|
### NixOS Default Home Permissions
|
||
|
|
```bash
|
||
|
|
# Executing from $HOME
|
||
|
|
>>> mkdir example.d && ls -l example.d
|
||
|
|
-rw-r--r-- 1 me users 1 Jul 25 10:13 example.d
|
||
|
|
>>> echo > example.f && ls -l example.f
|
||
|
|
-rw-r--r-- 1 me users 1 Jul 25 10:15 example.f
|
||
|
|
|
||
|
|
## But these ignore facl?
|
||
|
|
>>> getfacl "$HOME"
|
||
|
|
# file: home/me
|
||
|
|
# owner: me
|
||
|
|
# group: users
|
||
|
|
user::rwx
|
||
|
|
group::---
|
||
|
|
other::---
|
||
|
|
```
|
||
|
|
Many commands default to permissions that ignore the file access control listl (file ACLs).
|
||
|
|
This is not a NixOS specific issue. However this isn't ideal from a security perspective.
|
||
|
|
The simplest solution is a recursive `chmod -R 600 ~` but there are plenty of files we
|
||
|
|
intentionally want to be different.
|
||
|
|
> [!TODO]
|
||
|
|
> Solution: Make a Nix/Home-Manager package allowing for control over folder permissions.
|
||
|
|
> SOlution: Also it should warn if any files owned by $USER have a 2
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
## Further Reading
|
||
|
|
### Finding New Things to Do
|
||
|
|
`man 5 configuration.nix` is incredibly useful
|
||
|
|
similar info can be found at https://mynixos.com/options
|
||
|
|
|
||
|
|
### For your curiosity
|
||
|
|
1. https://wiki.nixos.org/wiki/Firejail
|
||
|
|
|
||
|
|
|