From d5378cec85f6e7ef3ed4c6db3d678b38f2aaa5f7 Mon Sep 17 00:00:00 2001 From: Jason Yundt Date: Tue, 24 Jun 2025 09:08:27 -0400 Subject: [PATCH] nixos/systemd: fix run0 failing to run commands MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes #361592. I was able to test this change by doing the following: 1. Create a file named “test-systemd-run0.nix” that contains this Nix expression: let nixpkgs = /path/to/nixpkgs; pkgs = import nixpkgs { }; in pkgs.testers.runNixOSTest { name = "test-systemd-run0"; nodes.machine = { security.polkit.enable = true; }; testScript = '' start_all() machine.succeed("run0 env") ''; } 2. Replace “/path/to/nixpkgs” with the actual path to an actual copy of Nixpkgs. 3. Run the integration test by running this command: nix-build (cherry picked from commit d54262911cee609de70c254cf6f3407d962219c8) --- nixos/modules/system/boot/systemd.nix | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index 753dab0af4f8..2fa9eb16d82b 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -831,6 +831,15 @@ in minsize = "1M"; }; }; + + # run0 is supposed to authenticate the user via polkit and then run a command. Without this next + # part, run0 would fail to run the command even if authentication is successful and the user has + # permission to run the command. This next part is only enabled if polkit is enabled because the + # error that we’re trying to avoid can’t possibly happen if polkit isn’t enabled. When polkit isn’t + # enabled, run0 will fail before it even tries to run the command. + security.pam.services = mkIf config.security.polkit.enable { + systemd-run0 = { }; + }; }; # FIXME: Remove these eventually.