forked from lix-project/lix
Update description for require-drop-supplementary-groups.
This commit is contained in:
parent
07dabcc90e
commit
0caf28f238
1 changed files with 7 additions and 13 deletions
|
@ -526,21 +526,15 @@ public:
|
||||||
|
|
||||||
Setting<bool> requireDropSupplementaryGroups{this, true, "require-drop-supplementary-groups",
|
Setting<bool> requireDropSupplementaryGroups{this, true, "require-drop-supplementary-groups",
|
||||||
R"(
|
R"(
|
||||||
Whether to drop supplementary groups when building with sandboxing.
|
Following the principle of least privilege,
|
||||||
This is normally a good idea if we are root and have the capability to
|
Nix will attempt to drop supplementary groups when building with sandboxing.
|
||||||
do so.
|
|
||||||
|
|
||||||
But if this "root" is mapped from a non-root user in a larger
|
However this can fail under some circumstances.
|
||||||
namespace, we won't be able drop additional groups; they will be
|
For example, if the user lacks the CAP_SETGID capability.
|
||||||
mapped to nogroup in the child namespace. There does not seem to be a
|
Search setgroups(2) for EPERM to find more detailed information on this.
|
||||||
workaround for this.
|
|
||||||
|
|
||||||
(But who can tell from reading user_namespaces(7)? See also https://lwn.net/Articles/621612/.)
|
If you encounter such a failure,
|
||||||
|
you can instruct Nix to continue without dropping supplementary groups by setting this option to `false`.
|
||||||
TODO: It might be good to create a middle ground option that allows
|
|
||||||
`setgroups` to fail if all additional groups are "nogroup" / the value
|
|
||||||
of `/proc/sys/fs/overflowuid`. This would handle the common
|
|
||||||
nested-sandboxing case identified above.
|
|
||||||
)"};
|
)"};
|
||||||
|
|
||||||
#if __linux__
|
#if __linux__
|
||||||
|
|
Loading…
Reference in a new issue