lix/tests/nixos
jade 9909a175bf Fix /etc/group having desynced IDs from the actual UID in the sandbox
This was found when `logrotate.conf` failed to build in a NixOS system
with:

    /nix/store/26zdl4pyw5qazppj8if5lm8bjzxlc07l-coreutils-9.3/bin/id: cannot find name for group ID 30000

This was surprising because it seemed to mean that /etc/group was busted
in the sandbox. Indeed it was:

    root0:
    nixbld:!💯
    nogroup65534:

We diagnosed this to sandboxUid() being called before
usingUserNamespace() was called, in setting up /etc/group inside the
sandbox. This code desperately needs refactoring.

We also moved the /etc/group code to be with the /etc/passwd code, but
honestly this code is all spaghetti'd all over the place and needs some
more serious tidying than we did here.

We also moved some checks to be earlier to improve locality with where
the things they are checking come from.

Change-Id: Ie29798771f3593c46ec313a32960fa955054aceb
2024-05-04 17:36:50 -07:00
..
ca-fd-leak
containers
fetch-git Add pre-commit checks 2024-03-29 22:57:40 -07:00
root-in-sandbox libstore/build: set NO_NEW_PRIVS for the sandbox 2024-04-15 10:25:29 +03:00
setuid libstore/local-derivation-goal: prohibit creating setuid/setgid binaries 2024-05-03 16:29:06 +02:00
authorization.nix
broken-userns.nix Fix /etc/group having desynced IDs from the actual UID in the sandbox 2024-05-04 17:36:50 -07:00
default.nix Fix /etc/group having desynced IDs from the actual UID in the sandbox 2024-05-04 17:36:50 -07:00
github-flakes.nix remove extraneous cache entry from github fetcher 2024-04-21 10:46:05 +00:00
nix-copy-closure.nix make the multi-node vm tests a bit more reliable 2024-03-10 10:10:52 +01:00
nix-copy.nix make the multi-node vm tests a bit more reliable 2024-03-10 10:10:52 +01:00
nix-upgrade-nix.nix add VM test for nix upgrade-nix 2024-04-29 01:19:21 +00:00
nss-preload.nix Merge pull request #9631 from cole-h/fixup-check-warnings 2024-03-07 09:58:15 +01:00
remote-builds-ssh-ng.nix ssh-ng: Set log-fd for ssh to 4 by default 2024-04-26 19:04:06 +02:00
remote-builds.nix make the multi-node vm tests a bit more reliable 2024-03-10 10:10:52 +01:00
sourcehut-flakes.nix tests: unhaunt the flakes nixos tests 2024-04-18 20:09:19 +00:00
symlink-resolvconf.nix libstore/build: set NO_NEW_PRIVS for the sandbox 2024-04-15 10:25:29 +03:00
tarball-flakes.nix tests: add error messages to the asserts in tarball flakes test 2024-04-22 16:13:36 -06:00
util.nix libstore/build: set NO_NEW_PRIVS for the sandbox 2024-04-15 10:25:29 +03:00