diff options
author | Ben Radford <benradf@users.noreply.github.com> | 2023-07-11 11:09:25 +0100 |
---|---|---|
committer | Ben Radford <benradf@users.noreply.github.com> | 2023-07-11 11:09:25 +0100 |
commit | 2b4c59dd997c72069b6039783fea4c3b35f5cee7 (patch) | |
tree | 96ab08ce58371928846db3538ad14f32daabf1a1 | |
parent | 0caf28f2386b656b29a84ba83a20cf2abce8a606 (diff) |
Be clearer about the security implications.
-rw-r--r-- | src/libstore/globals.hh | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh index 601626d00..dec132ff0 100644 --- a/src/libstore/globals.hh +++ b/src/libstore/globals.hh @@ -533,8 +533,9 @@ public: For example, if the user lacks the CAP_SETGID capability. Search setgroups(2) for EPERM to find more detailed information on this. - If you encounter such a failure, - you can instruct Nix to continue without dropping supplementary groups by setting this option to `false`. + If you encounter such a failure, setting this option to `false` will let you ignore it and continue. + But before doing so, you should consider the security implications carefully. + Not dropping supplementary groups means the build sandbox will be less restricted than intended. )"}; #if __linux__ |