libstore: fix auto-allocate-uids for non-sandboxed builds#15822
Open
KiaraGrouwstra wants to merge 1 commit into
Open
libstore: fix auto-allocate-uids for non-sandboxed builds#15822KiaraGrouwstra wants to merge 1 commit into
auto-allocate-uids for non-sandboxed builds#15822KiaraGrouwstra wants to merge 1 commit into
Conversation
…locate-uids` builds When `auto-allocate-uids` is enabled, builds that cannot be sandboxed (e.g. derivations with `__noChroot = true`, or with `sandbox = false`) were `setuid`'d to an auto-allocated UID with no entry in the host's `/etc/passwd`. `/etc/passwd` is only fabricated inside the chroot, so outside the user namespace `whoami`, `getpwuid()`, `podman` and `ssh` all fail, breaking nixpkgs packages like `spago-legacy`, `generic-stack-builder` and `xcodeenv`. Auto-allocated UIDs only make sense inside a user namespace where Nix controls `/etc/passwd`. For non-sandboxed builds, fall back to a real `nixbld` user via `build-users-group` if one is configured; otherwise fail with a clear error pointing at sandboxing or `build-users-group` rather than silently running as an unknown UID. Assisted-by: Claude:claude-opus-4-7
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
Allow unsandboxed builds using
auto-allocate-uidsto fall back tonixbldusers.Closes #9761.
Context
Where
auto-allocate-uidsis enabled, builds that cannot be sandboxed (e.g. derivations with__noChroot = true, or withsandbox = false) weresetuid'd to an auto-allocated UID with no entry in the host's/etc/passwd./etc/passwdis only fabricated inside the chroot, so outside the user namespacewhoami,getpwuid(),podmanandsshall fail, breaking nixpkgs packages likespago-legacy,generic-stack-builderandxcodeenv.Auto-allocated UIDs only make sense inside a user namespace where Nix controls
/etc/passwd. For non-sandboxed builds, fall back to a realnixblduser viabuild-users-groupif one is configured; otherwise fail with a clear error pointing at sandboxing orbuild-users-grouprather than silently running as an unknown UID.Disclaimer: I used a coding agent in the creation of this patch.