Permissions on /var/cache/locatedb prevent mlocate from being used except by root

[mkgvt]

Describe the bug
A non-root user cannot access the database for mlocate due to incorrect permissions.

To Reproduce
Steps to reproduce the behavior:

1. Set services.locate.locate = pkgs.mlocate and nixos-rebuild switch.
2. Attempting to find a file as a non-root user ends in an error.

$ locate subgid
/run/current-system/sw/bin/locate: can not open `/var/cache/locatedb': Permission denied
/run/current-system/sw/bin/locate: can not open `/var/cache/locatedb': Permission denied

3. The permissions for locatedb show why:

$ ls -l /var/cache/locatedb
47777 -rw-r----- 1 root mlocate 127221472 Jul  1 02:15 /var/cache/locatedb

4. Changing the permissions solves the problem:

$ sudo chmod o+r /var/cache/locatedb
$ ls -l /var/cache/locatedb
47777 -rw-r--r-- 1 root mlocate 127221472 Jul  1 02:15 /var/cache/locatedb
$ locate subgid
/etc/subgid

Related issues

• Obliquely mentioned in #31485.
• #124081 discusses using plocate which will also need to have correct permissions to operate.
• #53925 discusses changing the default locate from findutils to mlocate as the former can expose private paths.

Expected behavior
A non-root user must be able to use mlocate or there is no reason for installing it.

Notify maintainers

Metadata
Please run nix-shell -p nix-info --run "nix-info -m" and paste the result.

$ nix-info -m
 - system: `"x86_64-linux"`
 - host os: `Linux 5.4.122, NixOS, 20.09.4379.6953332fb7b (Nightingale)`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.3.11`
 - channels(root): `"nixos-20.09.4379.6953332fb7b"`
 - nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos`

Maintainer information:

# a list of nixpkgs attributes affected by the problem
attribute:
# a list of nixos modules affected by the problem
module:

[wentasah]

For me, mlocate works even when run by non-root users because it is executed via a setgid wrapper:

nixpkgs/nixos/modules/misc/locate.nix

Lines 176 to 185 in bc0d605

	security.wrappers = mkIf isMLocate {
	locate = {
	group = "mlocate";
	owner = "root";
	permissions = "u+rx,g+x,o+x";
	setgid = true;
	setuid = false;
	source = "${cfg.locate}/bin/locate";
	};
	};

My system behaves like this (and I think this is the default):

$ ls -l $(which locate)                                                                                                                                                                                                                                                                                        
-r-x--s--x 1 root mlocate 17688 Jun 30 10:17 /run/wrappers/bin/locate

Where is your locate binary?

The wrappers seems to be created in https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/security/wrappers/default.nix, but from the first look, I don't see any way to disable generation of the wrappers. Does your $PATH contain /run/wrappers/bin?

[mkgvt]

Thanks @wentasah. It turned out to be operator error. I didn't realize when I created a script that does some post processing of the output that I should use /run/wrappers/bin/locate rather than /run/current-system/sw/bin/locate. Fixing the script solved the problem.