systemd's PermissionsStartOnly is deprecated

[nh2]

See systemd/systemd#10802:

PermissionsStartOnly is deprecated (but not yet removed); the replacement are the Special executable prefixes mentioned in https://www.freedesktop.org/software/systemd/man/systemd.service.html#ExecStart=.

We have many occurrences this in nixpkgs (as per commit ad23ea3):

% git grep PermissionsStartOnly upstream/master | wc -l
130

It's not urgent, as it still works right now, but it's problematic that you can't any longer find any docs about a feature that we use almost everywhere.

---

Fixing it isn't totally trivial because PermissionsStartOnly is/was a separate setting, but with the new approach we actually have to write characters in front of ExecStartPre lines and so on.

Edit: Another key problem is that serviceConfig is an attrset, so you cannot use it to do what systemd allows: Creating multiple ExecStart lines (or similar lines) like:

ExecStart=+...something here...
ExecStart=...something else here...

because in an attrset there can be only 1 ExecStart. Edit: Likely workaround for that in #53852 (comment).

[nh2]

For context, here are the docs that are now no longer there:

PermissionsStartOnly

Takes a boolean argument. If true, the permission-related execution options, as configured with User= and similar options (see systemd.exec(5) for more information), are only applied to the process started with ExecStart=, and not to the various other ExecStartPre=, ExecStartPost=, ExecReload=, ExecStop=, and ExecStopPost= commands. If false, the setting is applied to all configured commands the same way. Defaults to false.

[flokli]

@nh2 in a lot of cases, the ExecPreStart scripts only set up a directory structure, which should probably better be done by systemd.tmpfiles.rules

[fpletz]

The change looks easy enough. I propose we target 19.09 to deprecate this option in the NixOS systemd module with a warning and fix all of our modules until then.

[nh2]

@fpletz That sounds good to me.

[aanderse]

@nh2 @flokli @fpletz I don't mind picking away at this, but I'd like to make sure I'm on the right track... does #56265 look good so far? I figured commit per module so it can easily be cherry picked.

[nh2]

@aanderse From a quick look, the approach looks correct to me.

I'd mention this issue in each commit message though so that people can easily find this issue from them.

[nixos-discourse]

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/systemd-permissions/10150/5

[nh2]

I'm trying to package a Django app, and need to make its /static/ subdir (which is in /var, not in the nix store) world-readable recursively so that nginx can read it.

How do I do that with systemd-tmpfiles?

[nixos-discourse]

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/systemd-services-should-allow-running-commands-as-root/5036/17

[nixos-discourse]

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/systemd-services-should-allow-running-commands-as-root/5036/18

[nh2]

Edit: Another key problem is that serviceConfig is an attrset, so you cannot use it to do what systemd allows: Creating multiple ExecStart lines

I'm trying to package a Django app, and need to make its /static/ subdir (which is in /var, not in the nix store) world-readable recursively so that nginx can read it.

I think a workaround for that is to use 1 ExecStart line and separate the invocations by ; (with spaces left and right of it). That way, + can be used to run some of those invocations as root. Example from here:

ExecStart = "+${u51PermsScript} ; ${managepyScript}";

[flokli]

I'm trying to package a Django app, and need to make its /static/ subdir (which is in /var, not in the nix store) world-readable recursively so that nginx can read it.

How do I do that with systemd-tmpfiles?

If the user specificed in the unit owns the files in /static, it should be able to just chmod -R +x. shouldn't it? You don't need to become root for this.

[stale]

I marked this as stale due to inactivity. → More info

[flokli]

This is not stale. There's still a lot of modules using PermissionsStartOnly, which need to be migrated.

[RaitoBezarius]

For NixOS 23.05:

❯ git grep PermissionsStartOnly | wc -l
37

Based on the maintenance data in there:

• go-neb: @mweinelt @maralorn
• matomo: @florianjacob
• neo4j: @patternspandemic @jonringer @erictapen
• foundationdb: @thoughtpolice
• tomcat: @danbst
• dkimproxy-out: @Ekleog
• blackfire: @shyim

This would bring us to 30 with non-explicit maintainers on them, I will try to look in the Git history when I have time.

[shyim]

blackfire explictly removes it PermissionsStartOnly

nixpkgs/pkgs/development/tools/misc/blackfire/default.nix

Line 39 in 5af1d31

--replace 'PermissionsStartOnly=true' ""

I guess that should be fine :)

[RaitoBezarius]

blackfire explictly removes it PermissionsStartOnly

nixpkgs/pkgs/development/tools/misc/blackfire/default.nix

Line 39 in 5af1d31

--replace 'PermissionsStartOnly=true' ""

I guess that should be fine :)

Shame on me! :) Thank you!