Always attempt setgroups but allow failure to be ignored.

2023-07-11 10:44:03 +01:00 · 2023-07-11 10:44:03 +01:00 · 07dabcc90e
parent 25b20b4ad2
commit 07dabcc90e
3 changed files with 11 additions and 8 deletions
--- a/src/libstore/build/local-derivation-goal.cc
+++ b/src/libstore/build/local-derivation-goal.cc
@ -909,9 +909,12 @@ void LocalDerivationGoal::startBuilder()

            /* Drop additional groups here because we can't do it
               after we've created the new user namespace. */
-            if (settings.dropSupplementaryGroups)
-                if (setgroups(0, 0) == -1)
-                    throw SysError("setgroups failed. Set the drop-supplementary-groups option to false to skip this step.");
+            if (setgroups(0, 0) == -1) {
+                if (errno != EPERM)
+                    throw SysError("setgroups failed");
+                if (settings.requireDropSupplementaryGroups)
+                    throw Error("setgroups failed. Set the require-drop-supplementary-groups option to false to skip this step.");
+            }

            ProcessOptions options;
            options.cloneFlags = CLONE_NEWPID | CLONE_NEWNS | CLONE_NEWIPC | CLONE_NEWUTS | CLONE_PARENT | SIGCHLD;
--- a/src/libstore/globals.hh
+++ b/src/libstore/globals.hh
@ -524,7 +524,7 @@ public:
    Setting<bool> sandboxFallback{this, true, "sandbox-fallback",
        "Whether to disable sandboxing when the kernel doesn't allow it."};

-    Setting<bool> dropSupplementaryGroups{this, getuid() == 0, "drop-supplementary-groups",
+    Setting<bool> requireDropSupplementaryGroups{this, true, "require-drop-supplementary-groups",
        R"(
          Whether to drop supplementary groups when building with sandboxing.
          This is normally a good idea if we are root and have the capability to
--- a/tests/supplementary-groups.sh
+++ b/tests/supplementary-groups.sh
@ -20,14 +20,14 @@ unshare --mount --map-root-user bash <<EOF
  setLocalStore store1
  expectStderr 1 "\${cmd[@]}" | grepQuiet "unable to start build process"

-  # Fails with `drop-supplementary-groups`
+  # Fails with `require-drop-supplementary-groups`
  # TODO better error
  setLocalStore store2
-  NIX_CONFIG='drop-supplementary-groups = true' \
+  NIX_CONFIG='require-drop-supplementary-groups = true' \
    expectStderr 1 "\${cmd[@]}" | grepQuiet "unable to start build process"

-  # Works without `drop-supplementary-groups`
+  # Works without `require-drop-supplementary-groups`
  setLocalStore store3
-  NIX_CONFIG='drop-supplementary-groups = false' \
+  NIX_CONFIG='require-drop-supplementary-groups = false' \
    "\${cmd[@]}"
 EOF