diff options
| author | Ludovic Courtès <ludo@gnu.org> | 2025-04-25 20:17:17 +0200 |
|---|---|---|
| committer | Ludovic Courtès <ludo@gnu.org> | 2025-04-25 20:25:54 +0200 |
| commit | 0d3bc50b0cffeae05beb12d0c270c6599186c0d7 (patch) | |
| tree | 6bda5c169fcdf4e98e7609d39b5db33ab7fbd662 | |
| parent | 5529636006254c52d42b0a7755e651e42d0fb6c9 (diff) | |
| download | guix-0d3bc50b0cffeae05beb12d0c270c6599186c0d7.tar.gz guix-0d3bc50b0cffeae05beb12d0c270c6599186c0d7.zip | |
daemon: Use the guest GID in /etc/group.
Partly fixes <https://issues.guix.gnu.org/77862>.
Fixes a bug whereby, when running guix-daemon unprivileged, /etc/group
would contain the wrong GID for the “nixbld” group. This inconsistency
would lead to failures in the Coreutils test suite, for instance.
* nix/libstore/build.cc (DerivationGoal::startBuilder): Use ‘guestGID’
when writing /etc/group.
* tests/store.scm ("/etc/passwd and /etc/group"): New test.
Reported-by: keinflue <keinflue@posteo.net>
Change-Id: I739bc96c4c935fd9015a45e2bfe5b3e3f90554a9
| -rw-r--r-- | nix/libstore/build.cc | 2 | ||||
| -rw-r--r-- | tests/store.scm | 22 |
2 files changed, 23 insertions, 1 deletions
diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc index 4ee4a1ae5f..a1f39d9a8b 100644 --- a/nix/libstore/build.cc +++ b/nix/libstore/build.cc @@ -1854,7 +1854,7 @@ void DerivationGoal::startBuilder() view of the system (e.g., "id -gn"). */ writeFile(chrootRootDir + "/etc/group", (format("nixbld:!:%1%:\n") - % (buildUser.enabled() ? buildUser.getGID() : getgid())).str()); + % (buildUser.enabled() ? buildUser.getGID() : guestGID)).str()); /* Create /etc/hosts with localhost entry. */ if (!fixedOutput) diff --git a/tests/store.scm b/tests/store.scm index b467314bdc..112ea7e2fc 100644 --- a/tests/store.scm +++ b/tests/store.scm @@ -445,6 +445,28 @@ (unless (unprivileged-user-namespace-supported?) (test-skip 1)) +(test-equal "/etc/passwd and /etc/group" + '((name "nixbld") + (uid 30001) + (gid 30000) + (group-name "nixbld")) + (let ((d (build-expression->derivation + %store "passwd-group-check" + `(call-with-output-file %output + (lambda (port) + ',(gettimeofday) + (let ((pw (getpwuid (getuid))) + (gr (getgrgid (getgid)))) + (write `((name ,(passwd:name pw)) + (uid ,(passwd:uid pw)) + (gid ,(passwd:gid pw)) + (group-name ,(group:name gr))) + port))))))) + (build-derivations %store (list d)) + (call-with-input-file (derivation->output-path d) read))) + +(unless (unprivileged-user-namespace-supported?) + (test-skip 1)) (test-equal "inputs are read-only" "All good!" (let* ((input (plain-file (string-append "might-be-tampered-with-" |