Derivations Built Without Sandbox Do Not Use a Valid User

[mcmah309]

Describe the bug

When in sandbox=false in nix.conf or __nochroot=true in builtins.derivation, the derivation is built with a non-existent user rather than nixbld in a normal derivation. This causes programs like podman to fail that require a user.

Steps To Reproduce
Run nix build . For this flake.nix

{
  description = "";

  inputs = {
    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
  };

  outputs = { self, nixpkgs, ... }@inputs: {
    packages.x86_64-linux.default = builtins.derivation {
      name = "test";
      system = "x86_64-linux";
      __noChroot = true;
      builder = nixpkgs.legacyPackages.x86_64-linux.writeShellScript "builder.sh" ''
        export PATH=$PATH:${nixpkgs.legacyPackages.x86_64-linux.coreutils}/bin
        whoami
      '';
    };
  };
}

output:

error: builder for '/nix/store/i94vz5lmpcv95xqi3iai273w9zzb8iah-test.drv' failed with exit code 1;
       last 1 log lines:
       > whoami: cannot find name for user ID 872415232
       For full logs, run 'nix log /nix/store/i94vz5lmpcv95xqi3iai273w9zzb8iah-test.drv'.

Removing __noChroot = true; will not cause this issue, as whoami will return nixbld

Expected behavior

With sandbox=false or __noChroot = true;, a user like nixbld should run the derivation, or the current user running the derivation should be used as the user in the derivation context, or at least setting the user in the derivation should be possible.

nix-env --version output

nix-env (Nix) 2.18.1

Additional context

This causes errors with running any sandbox script with podman, as podman needs to be run by a user in a group. I also cannot switch to a new user in the derivation builder, as su requires a terminal and sudo has been disabled (sudo: The “no new privileges” flag is set, which prevents sudo from running as root.).

Priorities

Add 👍 to issues you find important.

[cole-h]

I don't have anything to say that will help, but maybe this will be useful information:

This looks like you have the auto-allocate-uids experimental feature enabled. That user ID in your logs is 0x34000000 in hex, and that is the startId which is used for auto-allocate-uids:

nix/src/libstore/globals.hh

Lines 351 to 366 in cbd5553

	Setting<bool> autoAllocateUids{this, false, "auto-allocate-uids",
	R"(
	Whether to select UIDs for builds automatically, instead of using the
	users in `build-users-group`.
	UIDs are allocated starting at 872415232 (0x34000000) on Linux and 56930 on macOS.
	)", {}, true, Xp::AutoAllocateUids};
	Setting<uint32_t> startId{this,
	#if __linux__
	0x34000000,
	#else
	56930,
	#endif
	"start-id",
	"The first UID and GID to use for dynamic ID allocation."};

[mcmah309]

That did fix the immediate issue. Thank you. Removing auto-allocate-uids from my configuration.nix makes the user be nixbld1. I still would think a valid user should be used even if auto-allocate-uids is present.