From 5e872a497448f8c03d13a45996de60afa27da013 Mon Sep 17 00:00:00 2001 From: Grimmauld Date: Sun, 20 Jul 2025 12:37:37 +0200 Subject: [PATCH 1/2] nixos/wrappers: explicitly set RestrictSUIDSGID = false This ensures the wrapper setup service has permissions to create suid/sgid files, even if `DefaultRestrictSUIDSGID` is set in system.conf. `DefaultRestrictSUIDSGID` is a new feature coming in systemd 258 [1]. [1] https://github.com/systemd/systemd/pull/38126 --- nixos/modules/security/wrappers/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix index 3f861ef7a257..cc1810c534bc 100644 --- a/nixos/modules/security/wrappers/default.nix +++ b/nixos/modules/security/wrappers/default.nix @@ -318,6 +318,7 @@ in "/nix/store" "/run/wrappers" ]; + serviceConfig.RestrictSUIDSGID = false; serviceConfig.Type = "oneshot"; script = '' chmod 755 "${parentWrapperDir}" From 248c463f69c5779342dc8b7e1b893b50598128a8 Mon Sep 17 00:00:00 2001 From: Grimmauld Date: Sun, 20 Jul 2025 12:40:26 +0200 Subject: [PATCH 2/2] nixos/tmpfiles: explicitly set RestrictSUIDSGID = false This ensures the tmpfiles resetup service has permissions to create suid/sgid files, even if `DefaultRestrictSUIDSGID` is set in system.conf. This is required, as tmpfiles are used to e.g. set file permissions on the journal directory.`DefaultRestrictSUIDSGID` is a new feature coming in systemd 258 [1]. [1] https://github.com/systemd/systemd/pull/38126 --- nixos/modules/system/boot/systemd/tmpfiles.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/nixos/modules/system/boot/systemd/tmpfiles.nix b/nixos/modules/system/boot/systemd/tmpfiles.nix index d5541be0e966..8eb492a958e7 100644 --- a/nixos/modules/system/boot/systemd/tmpfiles.nix +++ b/nixos/modules/system/boot/systemd/tmpfiles.nix @@ -280,6 +280,7 @@ in "network.hosts" "ssh.authorized_keys.root" ]; + RestrictSUIDSGID = false; }; };