lix/doc/manual/command-ref
Eelco Dolstra 6cf23c3e8f
Add allow-new-privileges option
This allows builds to call setuid binaries. This was previously
possible until we started using seccomp. Turns out that seccomp by
default disallows processes from acquiring new privileges. Generally,
any use of setuid binaries (except those created by the builder
itself) is by definition impure, but some people were relying on this
ability for certain tests.

Example:

  $ nix build '(with import <nixpkgs> {}; runCommand "foo" {} "/run/wrappers/bin/ping -c 1 8.8.8.8; exit 1")' --no-allow-new-privileges
  builder for ‘/nix/store/j0nd8kv85hd6r4kxgnwzvr0k65ykf6fv-foo.drv’ failed with exit code 1; last 2 log lines:
    cannot raise the capability into the Ambient set
    : Operation not permitted

  $ nix build '(with import <nixpkgs> {}; runCommand "foo" {} "/run/wrappers/bin/ping -c 1 8.8.8.8; exit 1")' --allow-new-privileges
  builder for ‘/nix/store/j0nd8kv85hd6r4kxgnwzvr0k65ykf6fv-foo.drv’ failed with exit code 1; last 6 log lines:
    PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
    64 bytes from 8.8.8.8: icmp_seq=1 ttl=46 time=15.2 ms

Fixes #1429.
2017-07-04 15:48:25 +02:00
..
command-ref.xml
conf-file.xml Add allow-new-privileges option 2017-07-04 15:48:25 +02:00
env-common.xml Remove $NIX_BUILD_HOOK and $NIX_CURRENT_LOAD 2017-05-01 17:30:16 +02:00
files.xml
main-commands.xml
nix-build.xml Document tarball downloading 2015-06-01 15:14:44 +02:00
nix-channel.xml Nuke nix-push. 2016-08-10 11:13:11 -04:00
nix-collect-garbage.xml doc/manual/command-ref/nix-collect-garbage.xml: document --max-freed option 2016-01-18 13:25:36 +01:00
nix-copy-closure.xml Remove references to old-school signing 2016-03-22 15:39:59 +01:00
nix-daemon.xml Fix references to version.txt 2014-09-16 14:57:45 +02:00
nix-env.xml document option 2017-04-19 19:10:12 +02:00
nix-hash.xml Fix references to version.txt 2014-09-16 14:57:45 +02:00
nix-instantiate.xml doc: fix the description of --xml and --json 2017-05-03 10:49:34 +02:00
nix-prefetch-url.xml nix-prefetch-url: Add --name option 2015-10-07 14:55:33 +02:00
nix-shell.xml Fix typo in nix-shell command reference. 2016-02-13 01:03:32 -07:00
nix-store.xml Store: Add a method for getting build logs 2017-03-15 16:48:29 +01:00
opt-common-syn.xml Improved logging abstraction 2016-04-25 19:18:45 +02:00
opt-common.xml Support auto-configuration of build-max-jobs 2017-02-28 12:54:50 +01:00
opt-inst-syn.xml
utilities.xml Nuke nix-push. 2016-08-10 11:13:11 -04:00