[Nix#9761] Derivations Built Without Sandbox Do Not Use a Valid User #69

New issue

Closed

opened 2024-03-16 06:44:45 +00:00 by lix-bot · 2 comments

lix-bot commented

2024-03-16 06:44:45 +00:00

Member

Upstream-Issue: NixOS/nix#9761

Describe the bug

When in sandbox=false in nix.conf or __nochroot=true in builtins.derivation, the derivation is built with a non-existent user rather than nixbld in a normal derivation. This causes programs like podman to fail that require a user.

Steps To Reproduce
Run nix build . For this flake.nix

{
  description = "";

  inputs = {
    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
  };

  outputs = { self, nixpkgs, ... }@inputs: {
    packages.x86_64-linux.default = builtins.derivation {
      name = "test";
      system = "x86_64-linux";
      __noChroot = true;
      builder = nixpkgs.legacyPackages.x86_64-linux.writeShellScript "builder.sh" ''
        export PATH=$PATH:${nixpkgs.legacyPackages.x86_64-linux.coreutils}/bin
        whoami
      '';
    };
  };
}

output:

error: builder for '/nix/store/i94vz5lmpcv95xqi3iai273w9zzb8iah-test.drv' failed with exit code 1;
       last 1 log lines:
       > whoami: cannot find name for user ID 872415232
       For full logs, run 'nix log /nix/store/i94vz5lmpcv95xqi3iai273w9zzb8iah-test.drv'.

Removing __noChroot = true; will not cause this issue, as whoami will return nixbld

Expected behavior

With sandbox=false or __noChroot = true;, a user like nixbld should run the derivation, or the current user running the derivation should be used as the user in the derivation context, or at least setting the user in the derivation should be possible.

nix-env --version output

nix-env (Nix) 2.18.1

Additional context

This causes errors with running any sandbox script with podman, as podman needs to be run by a user in a group. I also cannot switch to a new user in the derivation builder, as su requires a terminal and sudo has been disabled (sudo: The “no new privileges” flag is set, which prevents sudo from running as root.).

Priorities

Add 👍 to issues you find important.

Upstream-Issue: https://git.lix.systems/NixOS/nix/issues/9761 **Describe the bug** When in `sandbox=false` in `nix.conf` or `__nochroot=true` in `builtins.derivation`, the derivation is built with a non-existent user rather than `nixbld` in a normal derivation. This causes programs like `podman` to fail that require a user. **Steps To Reproduce** Run `nix build .` For this `flake.nix` ```nix { description = ""; inputs = { nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; }; outputs = { self, nixpkgs, ... }@inputs: { packages.x86_64-linux.default = builtins.derivation { name = "test"; system = "x86_64-linux"; __noChroot = true; builder = nixpkgs.legacyPackages.x86_64-linux.writeShellScript "builder.sh" '' export PATH=$PATH:${nixpkgs.legacyPackages.x86_64-linux.coreutils}/bin whoami ''; }; }; } ``` output: ``` error: builder for '/nix/store/i94vz5lmpcv95xqi3iai273w9zzb8iah-test.drv' failed with exit code 1; last 1 log lines: > whoami: cannot find name for user ID 872415232 For full logs, run 'nix log /nix/store/i94vz5lmpcv95xqi3iai273w9zzb8iah-test.drv'. ``` Removing ` __noChroot = true;` will not cause this issue, as `whoami` will return `nixbld` **Expected behavior** With `sandbox=false` or `__noChroot = true;`, a user like `nixbld` should run the derivation, or the current user running the derivation should be used as the user in the derivation context, or at least setting the user in the derivation should be possible. **`nix-env --version` output** ``` nix-env (Nix) 2.18.1 ``` **Additional context** This causes errors with running any sandbox script with `podman`, as `podman` needs to be run by a user in a group. I also cannot switch to a new user in the derivation builder, as `su` requires a terminal and `sudo` has been disabled (`sudo: The “no new privileges” flag is set, which prevents sudo from running as root.`). **Priorities** Add :+1: to [issues you find important](https://github.com/NixOS/nix/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc).