Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package nix for openSUSE:Factory checked in at 2026-05-28 23:12:06 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/nix (Old) and /work/SRC/openSUSE:Factory/.nix.new.1937 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "nix" Thu May 28 23:12:06 2026 rev:19 rq:1355644 version:2.34.7 Changes: -------- --- /work/SRC/openSUSE:Factory/nix/nix.changes 2026-05-05 17:59:02.036862969 +0200 +++ /work/SRC/openSUSE:Factory/.nix.new.1937/nix.changes 2026-05-28 23:12:16.072210170 +0200 @@ -1,0 +2,10 @@ +Wed May 27 13:42:38 UTC 2026 - Eyad Issa <[email protected]> + +- Restrict access to nix-daemon socket and directory to nix-users + group (bsc#1266366). + * Add 0002-restrict-nix-daemon-socket.patch to set + SocketMode=0660 and SocketGroup=nix-users. + * Add README.SUSE with instructions for users. + * Implement one-time update message for version 2.34.7 in %post. + +------------------------------------------------------------------- New: ---- 0002-restrict-nix-daemon-socket.patch README.SUSE ----------(New B)---------- New: group (bsc#1266366). * Add 0002-restrict-nix-daemon-socket.patch to set SocketMode=0660 and SocketGroup=nix-users. ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ nix.spec ++++++ --- /var/tmp/diff_new_pack.yUu6df/_old 2026-05-28 23:12:17.988288933 +0200 +++ /var/tmp/diff_new_pack.yUu6df/_new 2026-05-28 23:12:17.992289098 +0200 @@ -19,12 +19,12 @@ %global services nix-daemon.socket nix-daemon.service -%bcond_with docs - %if 0%{?suse_version} == 1500 %global force_boost_version 1_75_0 %endif +%bcond_with docs + Name: nix Version: 2.34.7 Release: 0 @@ -34,8 +34,10 @@ Source: https://github.com/NixOS/nix/archive/refs/tags/%{version}/%{name}-%{version}.tar.gz Source1: nix.conf Source2: sysusers.conf +Source3: README.SUSE Source9: series Patch1: 0001-port-option-to-disable-functional-tests-to-meson.patch +Patch2: 0002-restrict-nix-daemon-socket.patch BuildRequires: bison BuildRequires: boost-devel BuildRequires: busybox-static @@ -144,6 +146,7 @@ %prep %autosetup -p1 +cp %{SOURCE3} . %build echo %{version} > .version @@ -214,6 +217,11 @@ %tmpfiles_create %{_tmpfilesdir}/nix-daemon.conf %service_add_post %{services} %{ldconfig} +%if "%{version}" == "2.34.7" +# inform users about the restricted socket access +mkdir -p %{_localstatedir}/adm/update-messages/ +cat %{_docdir}/nix/README.SUSE > %{_localstatedir}/adm/update-messages/%{name}-%{version}-%{release}-security +%endif %postun %service_del_postun %{services} @@ -222,7 +230,7 @@ %files %license COPYING %doc doc/manual/source/release-notes/rl-2.34.md -%doc CONTRIBUTING.md README.md +%doc CONTRIBUTING.md README.md README.SUSE # config files %config(noreplace) %{_sysconfdir}/nix/ %config %{_sysconfdir}/profile.d/nix-daemon.fish @@ -244,7 +252,7 @@ %ghost %dir %attr(755,root,root) /nix %ghost %dir %attr(755,root,root) /nix%{_localstatedir} %ghost %dir %attr(755,root,root) /nix%{_localstatedir}/nix -%ghost %dir %attr(755,root,root) /nix%{_localstatedir}/nix/daemon-socket +%ghost %dir %attr(750,root,nix-users) /nix%{_localstatedir}/nix/daemon-socket %ghost %dir %attr(755,root,root) /nix%{_localstatedir}/nix/builds # manual %if %{with docs} ++++++ 0002-restrict-nix-daemon-socket.patch ++++++ From: Eyad Issa <[email protected]> Date: Wed, 27 May 2026 12:00:00 +0000 Subject: [PATCH] Restrict access to nix-daemon socket and directory Restrict access to the nix-daemon UNIX domain socket and its parent directory to the 'nix-users' group. This reduces the local attack surface by making the Nix daemon API opt-in for authorized users. Fixes: bsc#1266366 --- --- a/misc/systemd/nix-daemon.socket.in +++ b/misc/systemd/nix-daemon.socket.in @@ -5,6 +5,8 @@ [Socket] ListenStream=@localstatedir@/nix/daemon-socket/socket +SocketMode=0660 +SocketGroup=nix-users [Install] WantedBy=sockets.target --- a/misc/systemd/nix-daemon.conf.in +++ b/misc/systemd/nix-daemon.conf.in @@ -1,2 +1,2 @@ -d @localstatedir@/nix/daemon-socket 0755 root root - - +d @localstatedir@/nix/daemon-socket 0750 root nix-users - - d @localstatedir@/nix/builds 0755 root root 7d - ++++++ README.SUSE ++++++ Important Security Update for Nix Users ======================================= To improve system security, the `nix-daemon` socket is no longer globally accessible. You must now be a member of the `nix-users` group to interact with the Nix daemon. If you are receiving connection errors, please add your user to the group and log out/log back in: sudo usermod -a -G nix-users <your_username> ++++++ series ++++++ --- /var/tmp/diff_new_pack.yUu6df/_old 2026-05-28 23:12:18.104293702 +0200 +++ /var/tmp/diff_new_pack.yUu6df/_new 2026-05-28 23:12:18.124294524 +0200 @@ -1,2 +1,3 @@ 0001-port-option-to-disable-functional-tests-to-meson.patch +0002-restrict-nix-daemon-socket.patch
