From d15ce22240d623820982fa0376e30039beb7aa5c Mon Sep 17 00:00:00 2001
From: Iulian Meghea <iulian@plumelo.com>
Date: Tue, 10 Feb 2026 11:51:34 +0000
Subject: [PATCH] fix: copy sudo binary before setting setuid bit

symlinkJoin creates ./bin/sudo as a symlink into the Nix store.
tar (without --dereference) archives symlinks as-is, so the
fakeroot-tracked setuid bit on the target is silently lost.

Replace the symlink with a real copy of the binary so that
fakeroot can record mode 4755 on a regular file and tar
faithfully preserves it in the Docker layer.
---
 images/nix/flake.nix | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/images/nix/flake.nix b/images/nix/flake.nix
index b2b0520..f164e68 100644
--- a/images/nix/flake.nix
+++ b/images/nix/flake.nix
@@ -202,10 +202,13 @@ eval "$(direnv hook bash)"
             mkdir -p ./tmp
             chmod 1777 ./tmp
 
-            # sudo: set the setuid bit on the sudo binary.
-            # nixpkgs deliberately strips it from the Nix store; fakeroot
-            # records the permission and tar --hard-dereference preserves
-            # it in the Docker layer.
+            # sudo: replace the symlink with a real copy, then set the
+            # setuid bit.  symlinkJoin creates ./bin/sudo as a symlink into
+            # the Nix store.  tar (without --dereference) archives symlinks
+            # as-is, so fakeroot-tracked permissions on the target are lost.
+            # Copying the binary makes it a regular file whose mode fakeroot
+            # can record and tar will faithfully preserve in the layer.
+            cp --remove-destination "$(readlink -f ./bin/sudo)" ./bin/sudo
             chmod 4755 ./bin/sudo
 
             # Replace the sudo package's default /etc/sudoers with our own.