From 2b4c59dd997c72069b6039783fea4c3b35f5cee7 Mon Sep 17 00:00:00 2001
From: Ben Radford <benradf@users.noreply.github.com>
Date: Tue, 11 Jul 2023 11:09:25 +0100
Subject: [PATCH] Be clearer about the security implications.

---
 src/libstore/globals.hh | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh
index 601626d00..dec132ff0 100644
--- a/src/libstore/globals.hh
+++ b/src/libstore/globals.hh
@@ -533,8 +533,9 @@ public:
           For example, if the user lacks the CAP_SETGID capability.
           Search setgroups(2) for EPERM to find more detailed information on this.
 
-          If you encounter such a failure,
-          you can instruct Nix to continue without dropping supplementary groups by setting this option to `false`.
+          If you encounter such a failure, setting this option to `false` will let you ignore it and continue.
+          But before doing so, you should consider the security implications carefully.
+          Not dropping supplementary groups means the build sandbox will be less restricted than intended.
         )"};
 
 #if __linux__