aboutsummaryrefslogtreecommitdiff
path: root/src/libstore/lock.cc
AgeCommit message (Collapse)Author
2023-01-05On macOS with auto-uid-allocation and sandboxing, use the correct gidEelco Dolstra
macOS doesn't have user namespacing, so the gid of the builder needs to be nixbld. The logic got "has sandboxing enabled" confused with "has user namespaces". Fixes #7529.
2022-12-14Allow disabling build users by unsetting `build-users-group`Naïm Favier
Unsetting `build-users-group` (without `auto-allocate-uids` enabled) gives the following error: ``` src/libstore/lock.cc:25: static std::unique_ptr<nix::UserLock> nix::SimpleUserLock::acquire(): Assertion `settings.buildUsersGroup != ""' failed. ``` Fix the logic in `useBuildUsers` and document the default value for `build-users-group`.
2022-11-28Check that auto-allocated UIDs don't clash with existing accountsEelco Dolstra
2022-11-22SimpleUserLock::getSupplementaryGIDs(): Filter out main gidEelco Dolstra
This avoids having the user's gid in the supplementary group list as well.
2022-11-21AutoUserLock: If sandboxing is disabled, use the build users groupEelco Dolstra
We have to use a gid that has write access to the Nix store.
2022-11-18Separate cgroup support from auto-uid-allocationEelco Dolstra
The new experimental feature 'cgroups' enables the use of cgroups for all builds. This allows better containment and enables setting resource limits and getting some build stats.
2022-11-08Fix build on macOSEelco Dolstra
2022-11-08Split auto UID allocation from cgroupsEelco Dolstra
Cgroups are now only used for derivations that require the uid-range range feature. This allows auto UID allocation even on systems that don't have cgroups (like macOS). Also, make things work on modern systems that use cgroups v2 (where there is a single hierarchy and no "systemd" controller).
2022-11-03Merge remote-tracking branch 'origin/master' into auto-uid-allocationEelco Dolstra
2022-06-08fix(libstore/lock): support users that belong to more than 10 groupsBernardo Meurer
The manpage for `getgrouplist` says: > If the number of groups of which user is a member is less than or > equal to *ngroups, then the value *ngroups is returned. > > If the user is a member of more than *ngroups groups, then > getgrouplist() returns -1. In this case, the value returned in > *ngroups can be used to resize the buffer passed to a further > call getgrouplist(). In our original code, however, we allocated a list of size `10` and, if `getgrouplist` returned `-1` threw an exception. In practice, this caused the code to fail for any user belonging to more than 10 groups. While unusual for single-user systems, large companies commonly have a huge number of POSIX groups users belong to, causing this issue to crop up and make multi-user Nix unusable in such settings. The fix is relatively simple, when `getgrouplist` fails, it stores the real number of GIDs in `ngroups`, so we must resize our list and retry. Only then, if it errors once more, we can raise an exception. This should be backported to, at least, 2.9.x.
2022-02-28Merge remote-tracking branch 'upstream/master' into auto-uid-allocationJohn Ericson
2020-10-17Merge commit 'd334fd48824b41b57e267cd2926fa9619b7718e3' into auto-uid-allocationJohn Ericson
2020-10-11Trim lock.ccJohn Ericson
2020-10-11Rename to hand-hold git (lock.cc)John Ericson