[Nix-dev] Re: /etc/{passwd, group} don't match the build user effective UID/GID
Ludovic Courtès
ludo at gnu.org
Mon Dec 7 17:57:45 CET 2009
Hi,
Eelco Dolstra <e.dolstra at tudelft.nl>
writes:
> Maybe what you want is:
>
> group = "nixbld";
> extraGroups = ["nixbld"];
That doesn’t work:
--8<---------------cut here---------------start------------->8---
$ sudo usermod nixbld1 --gid nixbld --groups "nixbld"
usermod: `nixbld' is primary group name.
$ getent group nixbld
nixbld:!:30000:
--8<---------------cut here---------------end--------------->8---
Another possibility is to keep ‘nogroup’ as the primary group and
‘nixbld’ as the supplementary group while having ‘build.cc’ call
setgroups(2) with ‘nogroup’ as the supplementary group. WDYT?
(That still looks ugly because we really mean to say “these users belong
to ‘nixbld’ and nothing else”...)
> BTW, this line in build.cc should be changed:
>
> writeStringToFile(chrootRootDir + "/etc/passwd",
> (format(
> "nixbld:x:%1%:65534:Nix build user:/:/noshell\n"
> "nobody:x:65534:65534:Nobody:/:/noshell\n")
> % (buildUser.enabled() ? buildUser.getUID() : getuid())).str());
>
> Otherwise "id" will still get confused in a chroot.
In the chroot “getent group nixbld” fails but ‘id’ doesn’t [0].
Thanks,
Ludo’.
[0] http://thread.gmane.org/gmane.comp.gnu.coreutils.bugs/19132/focus=19163
More information about the nix-dev
mailing list