Skip to content

Commit

Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Disable suid and atime on the /nix mount point on Darwin
Browse files Browse the repository at this point in the history 
The Determinate Nix Installer has set nosuid and noatime in DeterminateSystems/nix-installer#1338, and figured this perf and security improvement is worthy of upstreaming.

The /nix volume shouldn't have setuid binaries anyway, and filesystems seem to generally be noatime on macOS.
Further, the garbage collector doesn't use atime.
@grahamc
grahamc authored Dec 5, 2024
1 parent a8a572b commit 4137ead
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion scripts/create-darwin-volume.sh
View file
Original file line number Diff line number Diff line change
@@ -463,7 +463,7 @@ EOF

EDITOR="$SCRATCH/ex_cleanroom_wrapper" _sudo "to add nix to fstab" "$@" <<EOF
:a
UUID=$uuid $escaped_mountpoint apfs rw,noauto,nobrowse,suid,owners
UUID=$uuid $escaped_mountpoint apfs rw,noauto,nobrowse,nosuid,noatime,owners
.
:x
EOF

0 comments on commit 4137ead

Please sign in to comment.