git 2.35.2 breaks nixos-rebuild with flake repo owned by non-root user

[NickCao]

Describe the bug

After upgrading to git 2.35.2 (which is the version currently in nixos-unstable-small), running sudo nixos-rebuild switch with a flake repo owned by non-root user would result in a cryptic error message saying

warning: Not a git repository. Use --no-index to compare two paths outside a working tree
usage: git diff --no-index [<options>] <path> <path>
...... (the full git diff help)
error: program 'git' failed with exit code 129
(use '--show-trace' to show detailed location information)

The underlying reason is that due to the fix for CVE-2022-24765, git now effectively treats any directory not owned by the calling user as not a git repo. A temporary workaround would be to add the repo to safe.directory entry of the root user's git config. A possible long term fix is to only use sudo or others means for privilege elevation when absolutely required in nixos-rebuild.

Notify maintainers

@Profpatsch

Metadata

 - system: `"x86_64-linux"`
 - host os: `Linux 5.17.3, NixOS, 22.05 (Quokka), 22.05.20220418.f26866c`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.8.0pre20220411_f7276bc`
 - nixpkgs: `/nix/store/xy6wkddgna3rsmqkb53120x8lpf1pbvr-source`

[andrevmatos]

This also breaks sudo nixos-container --flake for the same reason

[izik1]

Note: An extra hacky work around if you can't modify root's gitconfig (say, because you'd need to use this same flake to do so) is to chown the directory to root, do your temp fix, and chown it back 🤣 (I wouldn't recommend doing that unless you have to and know what you're doing)

[hqurve]

Can we also build the config using unprivileged nixos-rebuild build --flake and then run sudo ./result/bin/switch-to-configuration <action>?

[SuperSandro2000]

Such a nonsense CVE 🙄 If people can drop malicious files on your filesystem you are already fucked.

[SuperSandro2000]

Workaround to get your machines updated

$ sudo git config --global --add safe.directory /etc/nixos

[NickCao]

Just found out that nixos-rebuild has a --use-remote-sudo flag, which does exactly my second solution.

[SuperSandro2000]

I am questioning myself: Why is this not the default? Sounds like it should be to me.

[nixos-discourse]

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/sudo-nixos-rebuild-switch-not-a-git-repository/18763/2

[Artturin]

lets keep this open until something is done so this works by default