macOS 15 has group id 301 occupied. might need changing

[joshryandavis]

A new daemon occupies PrimaryGroupID 301. Thankfully can just reassign using --nix-build-group-id --nix-build-user-id-base flags but will be an issue.

This breaks the installer and uninstaller.

AppleMetaNodeLocation: /Local/Default
GeneratedUID: ABCDEFAB-CDEF-ABCD-EFAB-CDEF0000012D
GroupMembers: FFFFEEEE-DDDD-CCCC-BBBB-AAAA0000012D
GroupMembership: _modelmanagerd
Password: *
PrimaryGroupID: 301
RealName:
 Model Manager
RecordName: _modelmanagerd
RecordType: dsRecTypeStandard:Groups

---

(Edited by @cole-h to add the following)

Cross-linking issues about this same thing:

• nix-darwin -- macOS Sequoia replaces _nixbld{1,2,3,4} with system users causing darwin-rebuild to fail LnL7/nix-darwin#970
• upstream -- macOS 15 Sequoia clobbers _nixbld1-4 users NixOS/nix#10892

[microBob]

This is the error context from the generated issue URL:

Error

Error: 
   0: Install failure
   1: Error executing action
   2: Action `create_users_and_group` errored
   3: Action `create_user` errored
   4: Failed to execute command with status 55 `"/usr/bin/dscl" "." "-create" "/Users/_nixbld1" "UniqueID" "301"`, stdout: 
      stderr: <main> attribute status: eDSRecordAlreadyExists
      <dscl_cmd> DS Error: -14135 (eDSRecordAlreadyExists)

Metadata

key	value
version	0.19.0
os	macos
arch	aarch64

[fbettag]

dscl . -search /Users UniqueID "301"                                                                                                                      ─╯
_modelmanagerd		UniqueID = (
    301
)

The last few in /etc/passwd are these here

_aonsensed:*:300:300:Always On Sense Daemon:/var/db/aonsensed:/usr/bin/false
_modelmanagerd:*:301:301:Model Manager:/var/db/modelmanagerd:/usr/bin/false
_reportsystemmemory:*:302:302:ReportSystemMemory:/var/empty:/usr/bin/false
_swtransparencyd:*:303:303:Software Transparency Services:/var/db/swtransparencyd:/usr/bin/false
_naturallanguaged:*:304:304:Natural Language Services:/var/db/com.apple.naturallanguaged:/usr/bin/false
_oahd:*:441:441:OAH Daemon:/var/empty:/usr/bin/false

[cole-h]

In the meantime, you may be able to get around this by passing --nix-build-user-id-base 305 to your install invocation, i.e.:

$ curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install --nix-build-user-id-base 305 --nix-build-group-id 305

EDIT: Just saw the part about the group ID also colliding; updated the snippet for that.

[dz0ny]

I suggest getting even higher base number as Apple may add more users and groups.

curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install --nix-build-user-id-base 400 --nix-build-group-id 4000

[cole-h]

I seem to recall seeing some issues in the past about setting the Darwin IDs too high (i.e. outside of the 200-400 ID range), so I'm not sure that's a great idea. This comment on the nix-darwin issue about the same problem seems to agree with that thought: LnL7/nix-darwin#970 (comment)

[emilazy]

I have posted my thoughts on what ID ranges would be good choices on the upstream issue: NixOS/nix#10892 (comment). Since this has to be coordinated throughout the entire macOS Nix ecosystem I hope we can discuss there and settle on something collectively soon.

[ahcm]

The new suggested range seems to be 450-499.
See: NixOS/nix#10892 (comment)

[cole-h]

The new suggested range seems to be 450-499. See: NixOS/nix#10892 (comment)

Thanks for that! We just merged #1038, which should detect macOS 15 and move the UIDs up to 450+ by default. Hoping to put a release out within the next couple of days that includes this fix, but for now you should be able to get it with this:

$ curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix/tag/v0.20.1 | sh -s -- install

---

I'm going to keep this issue open until the upstream installer fixes it on their end as well, in case they're able to come up with a better solution.

(EDIT: Updated URL to v0.20.1, which is the first release that includes the macOS 15 fix)

[ratbag98]

@cole-h - using either the main 0.20.1 release (which in theory has the updated code) or your commit still yields "nix_build_user_id_base": 300 in the plan:

% uname -a
Darwin intel.local 24.0.0 Darwin Kernel Version 24.0.0: Mon Jul  1 21:56:48 PDT 2024; root:xnu-11215.0.132.501.1~1/RELEASE_X86_64 x86_64

% ./nix-installer-x86_64-darwin --version                
nix-installer 0.20.1

% ./nix-installer-x86_64-darwin plan | grep build_user_id
`nix-installer` needs to run as `root`, attempting to escalate now via `sudo`...
        "nix_build_user_id_base": 300,
      "nix_build_user_id_base": 300,

Slap me with the clue-stick as required.

[emilazy]

@ratbag98 You could help out @abathur in NixOS/nix#11075; there’s a list of stuff he’d like to know from someone who updated to Sequoia and had their Nix break.

[ratbag98]

@ratbag98 You could help out @abathur in NixOS/nix#11075; there’s a list of stuff he’d like to know from someone who updated to Sequoia and had their Nix break.

I'll take a look, but I previously took the nuclear option and wiped my nix installation completely (using the manual instructions, since the installer obviously wasn't working). The machine I've put the beta on is just for testing etc., so if this continues to be an issue, I'll reinstall Sonoma, reinstall nix, then upgrade to Sequioia again and send @Abthur the information they require.

[dmelliot]

I'm getting this issue on Sonoma 14.4. I have a _defendpoint 301 user.

Is there a way to explicitly set the start of the range when using the Determinate Installer (setting NIX_FIRST_BUILD_UID="350" didn't seem to work)

---

nvm, solved with adding the params mentioned above
(but still worth flagging this issue happened on a non v15 OS)

--nix-build-user-id-base 450 --nix-build-group-id 450