diff options
| author | Ben Radford <benradf@users.noreply.github.com> | 2023-07-11 10:44:03 +0100 |
|---|---|---|
| committer | Ben Radford <benradf@users.noreply.github.com> | 2023-07-11 10:44:05 +0100 |
| commit | 07dabcc90ed8f2a2e7b98d858a47de3e75d2c3a2 (patch) | |
| tree | 1aae55a4e70eeafb311141605fcf6a478e620d61 | |
| parent | 25b20b4ad23d05d9a1e9daf105d33b7b68e4435b (diff) | |
Always attempt setgroups but allow failure to be ignored.
| -rw-r--r-- | src/libstore/build/local-derivation-goal.cc | 9 | ||||
| -rw-r--r-- | src/libstore/globals.hh | 2 | ||||
| -rw-r--r-- | tests/supplementary-groups.sh | 8 |
3 files changed, 11 insertions, 8 deletions
diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc index 53e6998e8..068b47f93 100644 --- a/src/libstore/build/local-derivation-goal.cc +++ b/src/libstore/build/local-derivation-goal.cc @@ -909,9 +909,12 @@ void LocalDerivationGoal::startBuilder() /* Drop additional groups here because we can't do it after we've created the new user namespace. */ - if (settings.dropSupplementaryGroups) - if (setgroups(0, 0) == -1) - throw SysError("setgroups failed. Set the drop-supplementary-groups option to false to skip this step."); + if (setgroups(0, 0) == -1) { + if (errno != EPERM) + throw SysError("setgroups failed"); + if (settings.requireDropSupplementaryGroups) + throw Error("setgroups failed. Set the require-drop-supplementary-groups option to false to skip this step."); + } ProcessOptions options; options.cloneFlags = CLONE_NEWPID | CLONE_NEWNS | CLONE_NEWIPC | CLONE_NEWUTS | CLONE_PARENT | SIGCHLD; diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh index a19b43086..dbabf116a 100644 --- a/src/libstore/globals.hh +++ b/src/libstore/globals.hh @@ -524,7 +524,7 @@ public: Setting<bool> sandboxFallback{this, true, "sandbox-fallback", "Whether to disable sandboxing when the kernel doesn't allow it."}; - Setting<bool> dropSupplementaryGroups{this, getuid() == 0, "drop-supplementary-groups", + Setting<bool> requireDropSupplementaryGroups{this, true, "require-drop-supplementary-groups", R"( Whether to drop supplementary groups when building with sandboxing. This is normally a good idea if we are root and have the capability to diff --git a/tests/supplementary-groups.sh b/tests/supplementary-groups.sh index 47debc5e3..47c6ef605 100644 --- a/tests/supplementary-groups.sh +++ b/tests/supplementary-groups.sh @@ -20,14 +20,14 @@ unshare --mount --map-root-user bash <<EOF setLocalStore store1 expectStderr 1 "\${cmd[@]}" | grepQuiet "unable to start build process" - # Fails with `drop-supplementary-groups` + # Fails with `require-drop-supplementary-groups` # TODO better error setLocalStore store2 - NIX_CONFIG='drop-supplementary-groups = true' \ + NIX_CONFIG='require-drop-supplementary-groups = true' \ expectStderr 1 "\${cmd[@]}" | grepQuiet "unable to start build process" - # Works without `drop-supplementary-groups` + # Works without `require-drop-supplementary-groups` setLocalStore store3 - NIX_CONFIG='drop-supplementary-groups = false' \ + NIX_CONFIG='require-drop-supplementary-groups = false' \ "\${cmd[@]}" EOF |