Skip to content

Commit

Permalink
Disable suid and atime on the /nix mount point on Darwin
Browse files Browse the repository at this point in the history 
The Determinate Nix Installer has set nosuid and noatime in DeterminateSystems/nix-installer#1338, and figured this perf and security improvement is worthy of upstreaming.

The /nix volume shouldn't have setuid binaries anyway, and filesystems seem to generally be noatime on macOS.
Further, the garbage collector doesn't use atime.

(cherry picked from commit 4137ead)
  • Loading branch information
@grahamc @Mic92
grahamc authored and Mic92 committed Jan 13, 2025
1 parent 89f045a commit c8e7fee
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion scripts/create-darwin-volume.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -463,7 +463,7 @@ EOF

EDITOR="$SCRATCH/ex_cleanroom_wrapper" _sudo "to add nix to fstab" "$@" <<EOF
:a
UUID=$uuid $escaped_mountpoint apfs rw,noauto,nobrowse,suid,owners
UUID=$uuid $escaped_mountpoint apfs rw,noauto,nobrowse,nosuid,noatime,owners
.
:x
EOF
Expand Down

0 comments on commit c8e7fee

Please sign in to comment.