6cf23c3e8f
This allows builds to call setuid binaries. This was previously possible until we started using seccomp. Turns out that seccomp by default disallows processes from acquiring new privileges. Generally, any use of setuid binaries (except those created by the builder itself) is by definition impure, but some people were relying on this ability for certain tests. Example: $ nix build '(with import <nixpkgs> {}; runCommand "foo" {} "/run/wrappers/bin/ping -c 1 8.8.8.8; exit 1")' --no-allow-new-privileges builder for ‘/nix/store/j0nd8kv85hd6r4kxgnwzvr0k65ykf6fv-foo.drv’ failed with exit code 1; last 2 log lines: cannot raise the capability into the Ambient set : Operation not permitted $ nix build '(with import <nixpkgs> {}; runCommand "foo" {} "/run/wrappers/bin/ping -c 1 8.8.8.8; exit 1")' --allow-new-privileges builder for ‘/nix/store/j0nd8kv85hd6r4kxgnwzvr0k65ykf6fv-foo.drv’ failed with exit code 1; last 6 log lines: PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. 64 bytes from 8.8.8.8: icmp_seq=1 ttl=46 time=15.2 ms Fixes #1429. |
||
---|---|---|
config | ||
corepkgs | ||
doc/manual | ||
maintainers | ||
misc | ||
mk | ||
perl | ||
scripts | ||
src | ||
tests | ||
.dir-locals.el | ||
.editorconfig | ||
.gitignore | ||
bootstrap.sh | ||
configure.ac | ||
COPYING | ||
local.mk | ||
Makefile | ||
Makefile.config.in | ||
nix.spec.in | ||
README.md | ||
release-common.nix | ||
release.nix | ||
shell.nix | ||
version |
Nix, the purely functional package manager
Nix is a new take on package management that is fairly unique. Because of its purity aspects, a lot of issues found in traditional package managers don't appear with Nix.
To find out more about the tool, usage and installation instructions, please read the manual, which is available on the Nix website at http://nixos.org/nix/manual.
Contributing
Take a look at the Hacking Section of the manual. It helps you to get started with building Nix from source.
License
Nix is released under the LGPL v2.1
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit.