From 2e8eaca573ccda707ff42c136a6f38a34f2975b4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= Date: Thu, 11 Mar 2010 10:21:23 +0000 Subject: [PATCH] Clear supplementary groups of `nixbld' in /etc/passwd in chroots. * src/libstore/build.cc (nix::DerivationGoal::startBuilder): Don't display any supplementary groups for `nixbld' in /etc/passwd. --- src/libstore/build.cc | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/src/libstore/build.cc b/src/libstore/build.cc index f4478a4db..85948f799 100644 --- a/src/libstore/build.cc +++ b/src/libstore/build.cc @@ -1566,14 +1566,15 @@ void DerivationGoal::startBuilder() createDirs(chrootTmpDir); chmod(chrootTmpDir, 01777); - /* Create a /etc/passwd with entries for the build user and - the nobody account. The latter is kind of a hack to - support Samba-in-QEMU. */ + /* Create a /etc/passwd with entries for the build user and the + nobody account. The latter is kind of a hack to support + Samba-in-QEMU. For the sake of consistency with the setgroups(2) + call below, the build user has no supplementary groups. */ createDirs(chrootRootDir + "/etc"); writeFile(chrootRootDir + "/etc/passwd", (format( - "nixbld:x:%1%:65534:Nix build user:/:/noshell\n" + "nixbld:x:%1%:%1%:Nix build user:/:/noshell\n" "nobody:x:65534:65534:Nobody:/:/noshell\n") % (buildUser.enabled() ? buildUser.getUID() : getuid())).str());