Default should depend on whether we are root.

2023-07-11 11:13:39 +01:00 · 2023-07-11 11:13:39 +01:00 · a193ec4052
parent 2b4c59dd99
commit a193ec4052
1 changed files with 1 additions and 1 deletions
--- a/src/libstore/globals.hh
+++ b/src/libstore/globals.hh
@ -524,7 +524,7 @@ public:
    Setting<bool> sandboxFallback{this, true, "sandbox-fallback",
        "Whether to disable sandboxing when the kernel doesn't allow it."};

-    Setting<bool> requireDropSupplementaryGroups{this, true, "require-drop-supplementary-groups",
+    Setting<bool> requireDropSupplementaryGroups{this, getuid() == 0, "require-drop-supplementary-groups",
        R"(
          Following the principle of least privilege,
          Nix will attempt to drop supplementary groups when building with sandboxing.