[Nix-dev] Re: /etc/{passwd, group} don't match the build user effective UID/GID

Lluís Batlle viriketo at gmail.com
Mon Dec 7 18:31:43 CET 2009 

In short, what coreutils expects is a coherency between the name
databases and the process uid/gid/groups.
For a given builder, the database says:
- uid: nixbld1
- gid: nogroup
- groups: nixbld

while build.cc sets the process, instead to that information, to:
- uid: nixbld1
- gid: nixbld
- groups:

getent only checks the databases for uid/gid/groups relationships. id
shows the process information, and may check the databases only for
name resolution I think.

For those tests to go well, I think we should try to get build
processes to match the database information, as if they logged in.

2009/12/7 Ludovic Courtès <ludo at gnu.org>:
> Hi,
>
> Eelco Dolstra <e.dolstra at tudelft.nl>
> writes:
>
>> Maybe what you want is:
>>
>>   group = "nixbld";
>>   extraGroups = ["nixbld"];
>
> That doesn’t work:
>
> --8<---------------cut here---------------start------------->8---
> $ sudo usermod nixbld1 --gid nixbld --groups "nixbld"
> usermod: `nixbld' is primary group name.
>
> $ getent group nixbld
> nixbld:!:30000:
> --8<---------------cut here---------------end--------------->8---
>
> Another possibility is to keep ‘nogroup’ as the primary group and
> ‘nixbld’ as the supplementary group while having ‘build.cc’ call
> setgroups(2) with ‘nogroup’ as the supplementary group.  WDYT?
>
> (That still looks ugly because we really mean to say “these users belong
> to ‘nixbld’ and nothing else”...)
>
>> BTW, this line in build.cc should be changed:
>>
>>         writeStringToFile(chrootRootDir + "/etc/passwd",
>>             (format(
>>                 "nixbld:x:%1%:65534:Nix build user:/:/noshell\n"
>>                 "nobody:x:65534:65534:Nobody:/:/noshell\n")
>>                 % (buildUser.enabled() ? buildUser.getUID() : getuid())).str());
>>
>> Otherwise "id" will still get confused in a chroot.
>
> In the chroot “getent group nixbld” fails but ‘id’ doesn’t [0].
>
> Thanks,
> Ludo’.
>
> [0] http://thread.gmane.org/gmane.comp.gnu.coreutils.bugs/19132/focus=19163
>
> _______________________________________________
> nix-dev mailing list
> nix-dev at cs.uu.nl
> https://mail.cs.uu.nl/mailman/listinfo/nix-dev
>

More information about the nix-dev mailing list