Keyring isn't suid on nixos

Hi, @DAlperin . I'm 99% certain that the binary works since I have built and installed on a NixOS machine, and I think the problem is just going to be in the derivation currently in Nixpkgs. The strange thing that I'm seeing is that somehow, libudev is no longer findable.

The first thing I want to try is to extract the policykit instruction into postInstall. We've changed how that file gets generated in the 8.6 series. If I move it to postInstall in the 8.5 derivation, I'll be able to override it in the 8.6 beta derivation. Come to think of it, that's going to be a very simple change, so maybe I can MR it today.

After that, just need to evaluate the derivation itself to figure out why precisely libudev isn't being found.

None of this requires changes to the 1Password build itself, so I'd welcome help with troubleshooting if you have time. I'm deeply buried under a lot of other work.

Hi @Savanni! Super excited to have first class 1pass support on my Nixos boxes. Let me know if there's anything that would be helpful on the nix/nixpkgs side of things. I package 1password for myself so I can update on demand, so I have a bit of experience in the "1password-nix connection" world.

Thank you so much again!

@SebTM Hey, there! The necessary changes were released yesterday in 8.6.0-6.

I opened an MR that adds the module to NixOS, but there were some problems with it. I have some more experiments to do, which possibly involves overriding the install script. I do know that there is a change in our new betas that requires a change to the install script.

This is the MR I started with: https://github.com/NixOS/nixpkgs/pull/158670. I think the module is good, but I can't prove that when my package override doesn't work. I'll have to run the experiments, though, because I don't want to have to wait until the next stable release.

@Savanni Thank you, that's awesome! I'm looking forward to hear when he is well again and has time to check :+1:

@SebTM Hey, I wanted to let you know that I got this working last week, and that the above settings are the only ones that you'll need for NixOS. I just need a review from one particular security expert here at the company before we can merge it. Unfortunately, he was sick last week, but we can get this into the nightly builds as soon as he returns and checks my work.

Hey @Savanni,

thanks for your feedback, I appreciate your follow-up and efforts on this :+1: :-)
Let's stay in touch here/E-Mail me if you want (need testers) - I'm happy to help!

Best Regards

Hi, @SebTM . I'm really sorry for taking so long on this.

In the last couple of days, with things at work slowing down because of the winter vacations, I've been able to make some headway here. So I've been hammering away through some of this for a couple of days.

Right now, I have nothing I can ship to you. I can say that we will need to add 1Password-BrowserHelper as an SGID script. We potentially need to add 1Password-KeyringHelper as both SUID and SGID. Here's a snippet that I've added to my configuration.nix:

```
users.groups.onepassword.gid = 44399;

security.wrappers = {
"1Password-BrowserSupport" =
{ source = "${_1password-gui}/share/1password/1Password-BrowserSupport";
owner = "root";
group = "onepassword";
setuid = false;
setgid = true;
};

"1Password-KeyringHelper" =
  { source = "${_1password-gui}/share/1password/1Password-KeyringHelper";
    owner = "root";
    group = "onepassword";
    setuid = true;
    setgid = true;
  };
};

```

However, this is not enough. We make certain assumptions about where to find these executables inside 1Password, plus we run some other checks. I've resolved the filesystem limitations and am working through a few additional problems. However, I wouldn't be able to release anything until I consult with our security experts, and the true expert in this area of the code is already on vacation for the rest of the year.

Obviously we won't want users to have to enter the above code themselves. I'll probably go ahead and start building a Nix module that handles it while I'm on break, and then really finish it off once I can get the rest of the code working.

Again, I am sorry for taking so long. Thank you for your patience, and for pushing me.

Hey, I'm really sad to see that nothing happens on this topic especially when there is community willingness/effort to help on which we simply can't do more at this state :(

:) 👍

Hey 1P_Blake, thanks for the info - will wait for anything upcoming :)