aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorBen Radford <benradf@users.noreply.github.com>2023-07-11 11:09:25 +0100
committerBen Radford <benradf@users.noreply.github.com>2023-07-11 11:09:25 +0100
commit2b4c59dd997c72069b6039783fea4c3b35f5cee7 (patch)
tree96ab08ce58371928846db3538ad14f32daabf1a1
parent0caf28f2386b656b29a84ba83a20cf2abce8a606 (diff)
Be clearer about the security implications.
-rw-r--r--src/libstore/globals.hh5
1 files changed, 3 insertions, 2 deletions
diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh
index 601626d00..dec132ff0 100644
--- a/src/libstore/globals.hh
+++ b/src/libstore/globals.hh
@@ -533,8 +533,9 @@ public:
For example, if the user lacks the CAP_SETGID capability.
Search setgroups(2) for EPERM to find more detailed information on this.
- If you encounter such a failure,
- you can instruct Nix to continue without dropping supplementary groups by setting this option to `false`.
+ If you encounter such a failure, setting this option to `false` will let you ignore it and continue.
+ But before doing so, you should consider the security implications carefully.
+ Not dropping supplementary groups means the build sandbox will be less restricted than intended.
)"};
#if __linux__