fix(nix): replace chown -R with targeted find in container entrypoint (#23633)

The container entrypoint ran `chown -R` on $HERMES_HOME every start. `chown` strips the setgid bit (kernel security behavior), destroying the 2770 permissions the NixOS activation script sets for group access by hostUsers. This caused PermissionError for interactive CLI users even though they were in the hermes group. Replace with `find ... ! -user $UID -exec chown` which only touches files with wrong ownership, leaving correctly-owned directories and their permission bits intact. Affects: container.enable + container.hostUsers + addToSystemPackages Related: #19795, #19788, #9383
2026-05-18 04:41:56 +00:00 · 2026-05-11 12:59:57 +05:30 · 2026-05-11 12:59:57 +05:30 · 64145a1996
commit 64145a1996
parent 5606258855
1 changed files with 6 additions and 2 deletions
--- a/nix/nixosModules.nix
+++ b/nix/nixosModules.nix
@ -117,9 +117,13 @@
      chown "$HERMES_UID:$HERMES_GID" "$TARGET_HOME"
      chmod 0750 "$TARGET_HOME"

-      # Ensure HERMES_HOME is owned by the target user
+      # Ensure HERMES_HOME is owned by the target user.
+      # Use find instead of chown -R: chown strips the setgid bit (kernel
+      # behavior), destroying the 2770 permissions the NixOS activation
+      # script sets for group access by hostUsers.  Only touch files with
+      # wrong ownership so correctly-owned dirs keep their permission bits.
      if [ -n "''${HERMES_HOME:-}" ] && [ -d "$HERMES_HOME" ]; then
-        chown -R "$HERMES_UID:$HERMES_GID" "$HERMES_HOME"
+        find "$HERMES_HOME" \! -user "$HERMES_UID" -exec chown "$HERMES_UID:$HERMES_GID" {} +
      fi

      # ── Provision apt packages (first boot only, cached in writable layer) ──