From a193ec4052d9efa895681c438cc335296c7affea Mon Sep 17 00:00:00 2001
From: Ben Radford <benradf@users.noreply.github.com>
Date: Tue, 11 Jul 2023 11:13:39 +0100
Subject: [PATCH] Default should depend on whether we are root.

---
 src/libstore/globals.hh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh
index dec132ff0..9a9b4903f 100644
--- a/src/libstore/globals.hh
+++ b/src/libstore/globals.hh
@@ -524,7 +524,7 @@ public:
     Setting<bool> sandboxFallback{this, true, "sandbox-fallback",
         "Whether to disable sandboxing when the kernel doesn't allow it."};
 
-    Setting<bool> requireDropSupplementaryGroups{this, true, "require-drop-supplementary-groups",
+    Setting<bool> requireDropSupplementaryGroups{this, getuid() == 0, "require-drop-supplementary-groups",
         R"(
           Following the principle of least privilege,
           Nix will attempt to drop supplementary groups when building with sandboxing.