Self-built custom LXC/Incus container image suddenly has 777 permissions for / #411
Description
Hi,
two weeks ago, I created customized NixOS 24.05 images for Incus, following https://wiki.nixos.org/wiki/Incus#Custom_Images. These images worked fine out of the box.
Yesterday, I created another set, for both 24.05 and 24.11, and found that I could not login to instances launched from these images via SSH. The reason for this was the the root filesystem has 777 permissions instead of 755, which made sshd complain and reject any login attempt.
# incus shell test
[root@nixos:~]# ll -a /
total 4
drwxrwxrwx 1 root root 98 Dec 1 18:25 . # <-- These permissions are wrong
drwxrwxrwx 1 root root 98 Dec 1 18:25 ..
drwxr-xr-x 1 root root 4 Dec 1 18:25 bin
drwxr-xr-x 9 root root 520 Dec 1 18:25 dev
drwxr-xr-x 1 root root 772 Dec 1 18:25 etc
drwxr-xr-x 1 root root 0 Dec 1 18:25 home
drwxr-xr-x 1 root root 0 Dec 1 18:25 mnt
drwxr-xr-x 1 root root 16 Dec 1 18:25 nix
dr-xr-xr-x 270 nobody nogroup 0 Dec 1 18:25 proc
drwx------ 1 root root 50 Dec 1 18:25 root
drwxr-xr-x 16 root root 420 Dec 1 18:25 run
drwxr-xr-x 1 root root 8 Dec 1 18:25 sbin
drwxr-xr-x 1 root root 0 Dec 1 18:25 srv
dr-xr-xr-x 13 nobody nogroup 0 Nov 30 20:36 sys
drwxrwxrwt 1 root root 658 Dec 1 18:25 tmp
drwxr-xr-x 1 root root 6 Dec 1 18:25 usr
drwxr-xr-x 1 root root 82 Dec 1 18:25 var
NOTE: The image configuration didn't change between the two attempts, except for running nix flake update since the first (successful) image creation.
BTW, while we're at it: On said wiki page...
- The second example for "all in one command", which should be the one for container images, just repeats the one for VMs.
- In the commands, the
.#nixosConfigurations...parts should be quoted, like'.#nixosConfigurations...', since otherwise the shell tries to interpret them.