nix run: Set a reasonable uid/gid
This commit is contained in:
parent
d64e0c1b64
commit
f8a8b4d8f8
|
@ -50,6 +50,9 @@ struct CmdRun : StoreCommand, MixInstallables
|
||||||
|
|
||||||
if (store2 && store->storeDir != store2->realStoreDir) {
|
if (store2 && store->storeDir != store2->realStoreDir) {
|
||||||
#if __linux__
|
#if __linux__
|
||||||
|
uid_t uid = getuid();
|
||||||
|
uid_t gid = getgid();
|
||||||
|
|
||||||
if (unshare(CLONE_NEWUSER | CLONE_NEWNS) == -1)
|
if (unshare(CLONE_NEWUSER | CLONE_NEWNS) == -1)
|
||||||
throw SysError("setting up a private mount namespace");
|
throw SysError("setting up a private mount namespace");
|
||||||
|
|
||||||
|
@ -91,6 +94,10 @@ struct CmdRun : StoreCommand, MixInstallables
|
||||||
} else
|
} else
|
||||||
if (mount(store2->realStoreDir.c_str(), store->storeDir.c_str(), "", MS_BIND, 0) == -1)
|
if (mount(store2->realStoreDir.c_str(), store->storeDir.c_str(), "", MS_BIND, 0) == -1)
|
||||||
throw SysError(format("mounting ‘%s’ on ‘%s’") % store2->realStoreDir % store->storeDir);
|
throw SysError(format("mounting ‘%s’ on ‘%s’") % store2->realStoreDir % store->storeDir);
|
||||||
|
|
||||||
|
writeFile("/proc/self/setgroups", "deny");
|
||||||
|
writeFile("/proc/self/uid_map", (format("%d %d %d") % uid % uid % 1).str());
|
||||||
|
writeFile("/proc/self/gid_map", (format("%d %d %d") % gid % gid % 1).str());
|
||||||
#else
|
#else
|
||||||
throw Error(format("mounting the Nix store on ‘%s’ is not supported on this platform") % store->storeDir);
|
throw Error(format("mounting the Nix store on ‘%s’ is not supported on this platform") % store->storeDir);
|
||||||
#endif
|
#endif
|
||||||
|
|
Loading…
Reference in a new issue