[Nix-dev] /etc/{passwd, group} don't match the build user effective UID/GID

[Ludovic Courtès]

Hello,

While investigating a Coreutils test suite failure, Lluís and I stumbled
upon an interesting inconsistency wrt. build users and their effective
UID/GID:

  http://thread.gmane.org/gmane.comp.gnu.coreutils.bugs/19132/focus=19163

A simple fix is to have the nixbld[0-9] users belong to ‘nixbld’ and no
other group:

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/x-patch
Size: 668 bytes
Desc: not available
Url : http://lists.science.uu.nl/pipermail/nix-dev/attachments/20091206/04330ddb/attachment.bin 
-------------- next part --------------

However, one then hits this ‘libstore/build.cc’ check:

--8<---------------cut here---------------start------------->8---
    struct group * gr = getgrnam(buildUsersGroup.c_str());
    if (!gr)
        throw Error(format("the group `%1%' specified in `build-users-group' does not exist")
            % buildUsersGroup);
    gid = gr->gr_gid;

    /* Copy the result of getgrnam. */
    Strings users;
    for (char * * p = gr->gr_mem; *p; ++p) {
        debug(format("found build user `%1%'") % *p);
        users.push_back(*p);
    }

    if (users.empty())
        throw Error(format("the build users group `%1%' has no members")
            % buildUsersGroup);
--8<---------------cut here---------------end--------------->8---

However, my understanding is that the getgrnam(3) call above returns the
list of users having ‘buildUsersGroup’ among their supplementary groups.
Thus, a user belonging to the ‘nixbld’ group and having no supplementary
group doesn’t pass this test, which looks wrong to me.

Consequently, I’m inclined to remove this snippet altogether, which
should allow the patch above to work as expected.

Thoughts?

Thanks,
Ludo’.