Always attempt setgroups but allow failure to be ignored.
This commit is contained in:
parent
25b20b4ad2
commit
07dabcc90e
|
@ -909,9 +909,12 @@ void LocalDerivationGoal::startBuilder()
|
|||
|
||||
/* Drop additional groups here because we can't do it
|
||||
after we've created the new user namespace. */
|
||||
if (settings.dropSupplementaryGroups)
|
||||
if (setgroups(0, 0) == -1)
|
||||
throw SysError("setgroups failed. Set the drop-supplementary-groups option to false to skip this step.");
|
||||
if (setgroups(0, 0) == -1) {
|
||||
if (errno != EPERM)
|
||||
throw SysError("setgroups failed");
|
||||
if (settings.requireDropSupplementaryGroups)
|
||||
throw Error("setgroups failed. Set the require-drop-supplementary-groups option to false to skip this step.");
|
||||
}
|
||||
|
||||
ProcessOptions options;
|
||||
options.cloneFlags = CLONE_NEWPID | CLONE_NEWNS | CLONE_NEWIPC | CLONE_NEWUTS | CLONE_PARENT | SIGCHLD;
|
||||
|
|
|
@ -524,7 +524,7 @@ public:
|
|||
Setting<bool> sandboxFallback{this, true, "sandbox-fallback",
|
||||
"Whether to disable sandboxing when the kernel doesn't allow it."};
|
||||
|
||||
Setting<bool> dropSupplementaryGroups{this, getuid() == 0, "drop-supplementary-groups",
|
||||
Setting<bool> requireDropSupplementaryGroups{this, true, "require-drop-supplementary-groups",
|
||||
R"(
|
||||
Whether to drop supplementary groups when building with sandboxing.
|
||||
This is normally a good idea if we are root and have the capability to
|
||||
|
|
|
@ -20,14 +20,14 @@ unshare --mount --map-root-user bash <<EOF
|
|||
setLocalStore store1
|
||||
expectStderr 1 "\${cmd[@]}" | grepQuiet "unable to start build process"
|
||||
|
||||
# Fails with `drop-supplementary-groups`
|
||||
# Fails with `require-drop-supplementary-groups`
|
||||
# TODO better error
|
||||
setLocalStore store2
|
||||
NIX_CONFIG='drop-supplementary-groups = true' \
|
||||
NIX_CONFIG='require-drop-supplementary-groups = true' \
|
||||
expectStderr 1 "\${cmd[@]}" | grepQuiet "unable to start build process"
|
||||
|
||||
# Works without `drop-supplementary-groups`
|
||||
# Works without `require-drop-supplementary-groups`
|
||||
setLocalStore store3
|
||||
NIX_CONFIG='drop-supplementary-groups = false' \
|
||||
NIX_CONFIG='require-drop-supplementary-groups = false' \
|
||||
"\${cmd[@]}"
|
||||
EOF
|
||||
|
|
Loading…
Reference in a new issue