From 516dbe1fa40548945f18135875ed22228db4ce33 Mon Sep 17 00:00:00 2001
From: Emily <vcs@emily.moe>
Date: Sat, 11 Jan 2025 15:44:41 +0000
Subject: [PATCH] darwin-rebuild: require running as `root`

---
 .github/workflows/test.yml          | 20 +++++------
 README.md                           | 16 ++++-----
 pkgs/darwin-uninstaller/default.nix |  8 ++---
 pkgs/nix-tools/darwin-rebuild.sh    | 56 ++++++++++++++---------------
 4 files changed, 49 insertions(+), 51 deletions(-)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index d87b763..f6da467 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -39,8 +39,8 @@ jobs:
         nix_path: nixpkgs=channel:${{ env.NIXPKGS_BRANCH }}
     - name: Install channels
       run: |
-        nix-channel --add https://nixos.org/channels/${{ env.NIXPKGS_BRANCH }} nixpkgs
-        nix-channel --update
+        sudo nix-channel --add https://nixos.org/channels/${{ env.NIXPKGS_BRANCH }} nixpkgs
+        sudo nix-channel --update
     - name: Install nix-darwin
       run: |
         sudo mkdir -p /etc/nix-darwin
@@ -61,7 +61,7 @@ jobs:
           /" \
           /etc/nix-darwin/configuration.nix
 
-        nix run .#darwin-rebuild -- switch \
+        sudo nix run .#darwin-rebuild -- switch \
           -I darwin=. \
           -I darwin-config=/etc/nix-darwin/configuration.nix
     - name: Switch to new configuration
@@ -72,17 +72,17 @@ jobs:
           "s/pkgs.vim/pkgs.hello/" \
           /etc/nix-darwin/configuration.nix
 
-        darwin-rebuild switch
+        sudo darwin-rebuild switch
 
         hello
     - name: Test uninstallation of nix-darwin
       run: |
         # We need to specify `--extra-experimental-features` because `experimental-features` is set by
         # `cachix/install-nix-action` but not by our default config above
-        nix run .#darwin-uninstaller \
+        sudo nix run .#darwin-uninstaller \
           --extra-experimental-features "nix-command flakes" \
           --override-input nixpkgs nixpkgs/${{ env.NIXPKGS_BRANCH }}
-        nix run .#darwin-uninstaller.tests.uninstaller \
+        sudo nix run .#darwin-uninstaller.tests.uninstaller \
           --extra-experimental-features "nix-command flakes" \
           --override-input nixpkgs nixpkgs/${{ env.NIXPKGS_BRANCH }}
 
@@ -112,7 +112,7 @@ jobs:
             's/nixpkgs.hostPlatform = "aarch64-darwin";/nixpkgs.hostPlatform = "'$(nix eval --expr builtins.currentSystem --impure --raw)'";/' \
             flake.nix
         popd
-        nix run .#darwin-rebuild -- switch \
+        sudo nix run .#darwin-rebuild -- switch \
           --override-input nix-darwin . \
           --override-input nixpkgs nixpkgs/${{ env.NIXPKGS_BRANCH }}
     - name: Switch to new configuration
@@ -123,12 +123,12 @@ jobs:
           "s/pkgs.vim/pkgs.hello/" \
           /etc/nix-darwin/flake.nix
 
-        darwin-rebuild switch \
+        sudo darwin-rebuild switch \
           --override-input nix-darwin . \
           --override-input nixpkgs nixpkgs/${{ env.NIXPKGS_BRANCH }}
 
         hello
     - name: Test uninstallation of nix-darwin
       run: |
-        nix run .#darwin-uninstaller --override-input nixpkgs nixpkgs/${{ env.NIXPKGS_BRANCH }}
-        nix run .#darwin-uninstaller.tests.uninstaller --override-input nixpkgs nixpkgs/${{ env.NIXPKGS_BRANCH }}
+        sudo nix run .#darwin-uninstaller --override-input nixpkgs nixpkgs/${{ env.NIXPKGS_BRANCH }}
+        sudo nix run .#darwin-uninstaller.tests.uninstaller --override-input nixpkgs nixpkgs/${{ env.NIXPKGS_BRANCH }}
diff --git a/README.md b/README.md
index 98e2ba8..fe12ec1 100644
--- a/README.md
+++ b/README.md
@@ -98,9 +98,9 @@ Unlike NixOS, `nix-darwin` does not have an installer, you can just run `darwin-
 
 ```bash
 # To use Nixpkgs unstable:
-nix run nix-darwin/master#darwin-rebuild -- switch
+sudo nix run nix-darwin/master#darwin-rebuild -- switch
 # To use Nixpkgs 24.11:
-nix run nix-darwin/nix-darwin-24.11#darwin-rebuild -- switch
+sudo nix run nix-darwin/nix-darwin-24.11#darwin-rebuild -- switch
 ```
 
 ### Step 3. Using `nix-darwin`
@@ -108,7 +108,7 @@ nix run nix-darwin/nix-darwin-24.11#darwin-rebuild -- switch
 After installing, you can run `darwin-rebuild` to apply changes to your system:
 
 ```bash
-darwin-rebuild switch
+sudo darwin-rebuild switch
 ```
 
 #### Using flake inputs
@@ -155,7 +155,7 @@ To install `nix-darwin`, you can just run `darwin-rebuild switch` to install nix
 
 ```bash
 nix-build '<darwin>' -A darwin-rebuild
-./result/bin/darwin-rebuild switch -I darwin-config=/etc/nix-darwin/configuration.nix
+sudo ./result/bin/darwin-rebuild switch -I darwin-config=/etc/nix-darwin/configuration.nix
 ```
 
 ### Step 4. Using `nix-darwin`
@@ -163,7 +163,7 @@ nix-build '<darwin>' -A darwin-rebuild
 After installing, you can run `darwin-rebuild` to apply changes to your system:
 
 ```bash
-darwin-rebuild switch
+sudo darwin-rebuild switch
 ```
 
 ### Step 5. Updating `nix-darwin`
@@ -186,13 +186,13 @@ The documentation is also available as manpages by running `man 5 configuration.
 To run the latest version of the uninstaller, you can run the following command:
 
 ```
-nix --extra-experimental-features "nix-command flakes" run nix-darwin#darwin-uninstaller
+sudo nix --extra-experimental-features "nix-command flakes" run nix-darwin#darwin-uninstaller
 ```
 
 If that command doesn't work for you, you can try the locally installed uninstaller:
 
 ```
-darwin-uninstaller
+sudo darwin-uninstaller
 ```
 
 ## Tests
@@ -218,7 +218,7 @@ flag can also be used to override darwin-config or nixpkgs, for more
 information on the `-I` flag look at the nix-build [manpage](https://nixos.org/manual/nix/stable/command-ref/nix-build.html).
 
 ```bash
-darwin-rebuild switch -I darwin=.
+sudo darwin-rebuild switch -I darwin=.
 ```
 
 If you're adding a module, please add yourself to `meta.maintainers`, for example
diff --git a/pkgs/darwin-uninstaller/default.nix b/pkgs/darwin-uninstaller/default.nix
index 658991b..2fc5cc6 100644
--- a/pkgs/darwin-uninstaller/default.nix
+++ b/pkgs/darwin-uninstaller/default.nix
@@ -53,16 +53,16 @@ in writeShellApplication {
     ${uninstallSystem.system}/sw/bin/darwin-rebuild activate
 
     if [[ -L /run/current-system ]]; then
-      sudo rm /run/current-system
+      rm /run/current-system
     fi
 
     if [[ -L /run ]]; then
       if [[ -e /etc/synthetic.conf ]]; then
-        sudo sed -i -E '/^run[[:space:]]/d' /etc/synthetic.conf
-        sudo /System/Library/Filesystems/apfs.fs/Contents/Resources/apfs.util -t &>/dev/null || true
+        sed -i -E '/^run[[:space:]]/d' /etc/synthetic.conf
+        /System/Library/Filesystems/apfs.fs/Contents/Resources/apfs.util -t &>/dev/null || true
         echo >&2 "NOTE: the /run symlink will be removed on reboot"
       else
-        sudo rm /run
+        rm /run
       fi
     fi
 
diff --git a/pkgs/nix-tools/darwin-rebuild.sh b/pkgs/nix-tools/darwin-rebuild.sh
index 14c56e5..8824e61 100644
--- a/pkgs/nix-tools/darwin-rebuild.sh
+++ b/pkgs/nix-tools/darwin-rebuild.sh
@@ -2,6 +2,12 @@
 set -e
 set -o pipefail
 
+if [[ $(id -u) -eq 0 ]]; then
+  # On macOS, `sudo(8)` preserves `$HOME` by default, which causes Nix
+  # to output warnings.
+  HOME=~root
+fi
+
 export PATH=@path@
 export NIX_PATH=${NIX_PATH:-@nixPath@}
 
@@ -22,12 +28,6 @@ showSyntax() {
   exit 1
 }
 
-sudo() {
-  # We use `env` before our command to ensure the preserved PATH gets checked
-  # when trying to resolve the command to execute
-  command sudo -H --preserve-env=PATH --preserve-env=SSH_CONNECTION env "$@"
-}
-
 # Parse the command line.
 origArgs=("$@")
 extraMetadataFlags=()
@@ -142,6 +142,11 @@ done
 
 if [ -z "$action" ]; then showSyntax; fi
 
+if [[ $action =~ ^switch|activate|rollback|check$ && $(id -u) -ne 0 ]]; then
+  printf >&2 '%s: system activation must now be run as root\n' "$0"
+  exit 1
+fi
+
 flakeFlags=(--extra-experimental-features 'nix-command flakes')
 
 # Use /etc/nix-darwin/flake.nix if it exists. It can be a symlink to the
@@ -190,15 +195,10 @@ if [ "$action" = switch ] || [ "$action" = build ] || [ "$action" = check ] || [
       -- "$flake#$flakeAttr.system" \
       | jq -r '.[0].outputs.out')
   fi
-
 fi
 
 if [ "$action" = list ] || [ "$action" = rollback ]; then
-  if [ "$USER" != root ] && [ ! -w $(dirname "$profile") ]; then
-    sudo nix-env -p "$profile" "${extraProfileFlags[@]}"
-  else
-    nix-env -p "$profile" "${extraProfileFlags[@]}"
-  fi
+  nix-env -p "$profile" "${extraProfileFlags[@]}"
 fi
 
 if [ "$action" = rollback ]; then
@@ -222,24 +222,26 @@ else
   hasActivateUser=
 fi
 
-if [ "$action" = switch ]; then
-  if [ "$USER" != root ] && [ ! -w $(dirname "$profile") ]; then
-    sudo nix-env -p "$profile" --set "$systemConfig"
+runActivateUser() {
+  if [[ -n $SUDO_USER ]]; then
+    sudo --user="$SUDO_USER" --set-home -- "$systemConfig/activate-user"
   else
-    nix-env -p "$profile" --set "$systemConfig"
+    printf >&2 \
+      '%s: $SUDO_USER not set, can’t run legacy `activate-user` script\n' \
+      "$0"
+    exit 1
   fi
+}
+
+if [ "$action" = switch ]; then
+  nix-env -p "$profile" --set "$systemConfig"
 fi
 
 if [ "$action" = switch ] || [ "$action" = activate ] || [ "$action" = rollback ]; then
   if [[ -n $hasActivateUser ]]; then
-    "$systemConfig/activate-user"
-  fi
-
-  if [ "$USER" != root ]; then
-    sudo "$systemConfig/activate"
-  else
-    "$systemConfig/activate"
+    runActivateUser
   fi
+  "$systemConfig/activate"
 fi
 
 if [ "$action" = changelog ]; then
@@ -249,12 +251,8 @@ fi
 if [ "$action" = check ]; then
   export checkActivation=1
   if [[ -n $hasActivateUser ]]; then
-    "$systemConfig/activate-user"
+    runActivateUser
   else
-    if [ "$USER" != root ]; then
-      sudo "$systemConfig/activate"
-    else
-      "$systemConfig/activate"
-    fi
+    "$systemConfig/activate"
   fi
 fi