New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nix: do not disable sandbox by default #35666
Comments
I also filled bug in nix as nix probably should detect this kind of misconfiguration early: NixOS/nix#6113 |
Issues become stale 90 days after last activity and are closed 14 days after that. If this issue is still relevant bump it or assign it. |
Still relevant |
Issues become stale 90 days after last activity and are closed 14 days after that. If this issue is still relevant bump it or assign it. |
Still relevant |
Issues become stale 90 days after last activity and are closed 14 days after that. If this issue is still relevant bump it or assign it. |
System
Expected behavior
/etc/nix.conf should have sandbox on, and should build packages as expected in such isolated environment.
Actual behavior
/etc/nix.conf has sandbox turned off by default, and it fails unexpectedly when turned on due to a misconfiguration with sandbox-paths. Nix mounts
/bin/sh
into the sandboxed namespace, but this binary is linked against musl libc and thus fails to work in such a sandboxed environment.The workaround is to install busybox-static and edit sandbox-paths in /etc/nix.conf so that /bin/sh points to busybox.static instead.
Steps to reproduce the behavior
/bin/sh -c gzip
The text was updated successfully, but these errors were encountered: