diff options
Diffstat (limited to 'src/libstore/globals.hh')
-rw-r--r-- | src/libstore/globals.hh | 20 |
1 files changed, 7 insertions, 13 deletions
diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh index dbabf116a..601626d00 100644 --- a/src/libstore/globals.hh +++ b/src/libstore/globals.hh @@ -526,21 +526,15 @@ public: Setting<bool> requireDropSupplementaryGroups{this, true, "require-drop-supplementary-groups", R"( - Whether to drop supplementary groups when building with sandboxing. - This is normally a good idea if we are root and have the capability to - do so. + Following the principle of least privilege, + Nix will attempt to drop supplementary groups when building with sandboxing. - But if this "root" is mapped from a non-root user in a larger - namespace, we won't be able drop additional groups; they will be - mapped to nogroup in the child namespace. There does not seem to be a - workaround for this. + However this can fail under some circumstances. + For example, if the user lacks the CAP_SETGID capability. + Search setgroups(2) for EPERM to find more detailed information on this. - (But who can tell from reading user_namespaces(7)? See also https://lwn.net/Articles/621612/.) - - TODO: It might be good to create a middle ground option that allows - `setgroups` to fail if all additional groups are "nogroup" / the value - of `/proc/sys/fs/overflowuid`. This would handle the common - nested-sandboxing case identified above. + If you encounter such a failure, + you can instruct Nix to continue without dropping supplementary groups by setting this option to `false`. )"}; #if __linux__ |