From bbba49b3e42fb4bacd9b253f41291dc381ba10db Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Fri, 17 Feb 2023 16:31:55 +0100 Subject: [PATCH] Wait with making /etc unwritable until after build env setup This fixes /etc/nsswitch.conf --- src/libstore/build/local-derivation-goal.cc | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc index 7b125f5d2..a961d8eed 100644 --- a/src/libstore/build/local-derivation-goal.cc +++ b/src/libstore/build/local-derivation-goal.cc @@ -971,10 +971,6 @@ void LocalDerivationGoal::startBuilder() "nobody:x:65534:65534:Nobody:/:/noshell\n", sandboxUid(), sandboxGid(), settings.sandboxBuildDir)); - /* Make /etc unwritable */ - if (!parsedDrv->useUidRange()) - chmod_(chrootRootDir + "/etc", 0555); - /* Save the mount- and user namespace of the child. We have to do this *before* the child does a chroot. */ sandboxMountNamespace = open(fmt("/proc/%d/ns/mnt", (pid_t) pid).c_str(), O_RDONLY); @@ -1855,6 +1851,10 @@ void LocalDerivationGoal::runChild() } } + /* Make /etc unwritable */ + if (!parsedDrv->useUidRange()) + chmod_(chrootRootDir + "/etc", 0555); + /* Unshare this mount namespace. This is necessary because pivot_root() below changes the root of the mount namespace. This means that the call to setns() in