AutoUserLock: If sandboxing is disabled, use the build users group

We have to use a gid that has write access to the Nix store.
author: Eelco Dolstra <edolstra@gmail.com> 2022-11-21 12:55:49 +0100
committer: Eelco Dolstra <edolstra@gmail.com> 2022-11-21 12:55:49 +0100
commit: 9d17ce07e872e88057480744414e0d1ef4fd5fa8 (patch)
tree: 6bc3c439d77dd1644d2c6809329b093b5b386c5f /src/libstore/lock.cc
parent: 82d5cf2a76ec009fd94a925c22a5e099a0b7321b (diff)
1 files changed, 13 insertions, 9 deletions
diff --git a/src/libstore/lock.cc b/src/libstore/lock.cc
index 4fad3bfd2..3b93979a8 100644
--- a/src/libstore/lock.cc
+++ b/src/libstore/lock.cc
@@ -109,22 +109,18 @@ struct AutoUserLock : UserLock
 {
     AutoCloseFD fdUserLock;
     uid_t firstUid = 0;
+    gid_t firstGid = 0;
     uid_t nrIds = 1;
 
     uid_t getUID() override { assert(firstUid); return firstUid; }
 
     gid_t getUIDCount() override { return nrIds; }
 
-    gid_t getGID() override
-    {
-        // We use the same GID ranges as for the UIDs.
-        assert(firstUid);
-        return firstUid;
-    }
+    gid_t getGID() override { assert(firstGid); return firstGid; }
 
     std::vector<gid_t> getSupplementaryGIDs() override { return {}; }
 
-    static std::unique_ptr<UserLock> acquire(uid_t nrIds)
+    static std::unique_ptr<UserLock> acquire(uid_t nrIds, bool useChroot)
     {
         settings.requireExperimentalFeature(Xp::AutoAllocateUids);
         assert(settings.startId > 0);
@@ -154,6 +150,14 @@ struct AutoUserLock : UserLock
                 auto lock = std::make_unique<AutoUserLock>();
                 lock->fdUserLock = std::move(fd);
                 lock->firstUid = settings.startId + i * maxIdsPerBuild;
+                if (useChroot)
+                    lock->firstGid = lock->firstUid;
+                else {
+                    struct group * gr = getgrnam(settings.buildUsersGroup.get().c_str());
+                    if (!gr)
+                        throw Error("the group '%s' specified in 'build-users-group' does not exist", settings.buildUsersGroup);
+                    lock->firstGid = gr->gr_gid;
+                }
                 lock->nrIds = nrIds;
                 return lock;
             }
@@ -163,10 +167,10 @@ struct AutoUserLock : UserLock
     }
 };
 
-std::unique_ptr<UserLock> acquireUserLock(uid_t nrIds)
+std::unique_ptr<UserLock> acquireUserLock(uid_t nrIds, bool useChroot)
 {
     if (settings.autoAllocateUids)
-        return AutoUserLock::acquire(nrIds);
+        return AutoUserLock::acquire(nrIds, useChroot);
     else
         return SimpleUserLock::acquire();
 }
author	Eelco Dolstra <edolstra@gmail.com>	2022-11-21 12:55:49 +0100
committer	Eelco Dolstra <edolstra@gmail.com>	2022-11-21 12:55:49 +0100
commit	9d17ce07e872e88057480744414e0d1ef4fd5fa8 (patch)
tree	6bc3c439d77dd1644d2c6809329b093b5b386c5f /src/libstore/lock.cc
parent	82d5cf2a76ec009fd94a925c22a5e099a0b7321b (diff)