[Nix-dev] Additional groups in buildFHSUserEnv
Nikolay Amiantov
ab at fmap.me
Mon Mar 6 14:26:17 CET 2017
On 03/05/2017 05:39 PM, Tim Dempsey wrote:
> Is it possible to specify additional groups when entering a
> buildFHSUserEnv? I have a prepackage binary that needs access to a usb
> serial device and when i enter the environment using nix-shell I end
> up with the following groups: users, nobody. At minimum, I would like
> to add the dialout group but ideally an option to pass my current
> groups into the env would be great. If I use sudo nix-shell it works
> of course but seems like an awful big hammer. :)
See user namespaces(7)[1]:
+ In the case of gid_map, use of the setgroups(2) system call
must first be denied by writing "deny" to the
/proc/[pid]/setgroups file (see below) before writing to
gid_map.
i.e. you can't set supplemental groups in an unprivileged user
namespace. I don't remember exact cause of this (it's security-related),
it started with Linux 3.19[2].
So, sadly, this is not possible without sudo.
1: http://man7.org/linux/man-pages/man7/user_namespaces.7.html
2:
https://github.com/NixOS/nixpkgs/blob/master/pkgs/build-support/build-fhs-userenv/chroot-user.rb#L117
--
Nikolay.
More information about the nix-dev
mailing list