Clear supplementary groups of `nixbld' in /etc/passwd in chroots.
* src/libstore/build.cc (nix::DerivationGoal::startBuilder): Don't display any supplementary groups for `nixbld' in /etc/passwd.
This commit is contained in:
parent
05fbf61f0e
commit
2e8eaca573
1 changed files with 5 additions and 4 deletions
|
@ -1566,14 +1566,15 @@ void DerivationGoal::startBuilder()
|
||||||
createDirs(chrootTmpDir);
|
createDirs(chrootTmpDir);
|
||||||
chmod(chrootTmpDir, 01777);
|
chmod(chrootTmpDir, 01777);
|
||||||
|
|
||||||
/* Create a /etc/passwd with entries for the build user and
|
/* Create a /etc/passwd with entries for the build user and the
|
||||||
the nobody account. The latter is kind of a hack to
|
nobody account. The latter is kind of a hack to support
|
||||||
support Samba-in-QEMU. */
|
Samba-in-QEMU. For the sake of consistency with the setgroups(2)
|
||||||
|
call below, the build user has no supplementary groups. */
|
||||||
createDirs(chrootRootDir + "/etc");
|
createDirs(chrootRootDir + "/etc");
|
||||||
|
|
||||||
writeFile(chrootRootDir + "/etc/passwd",
|
writeFile(chrootRootDir + "/etc/passwd",
|
||||||
(format(
|
(format(
|
||||||
"nixbld:x:%1%:65534:Nix build user:/:/noshell\n"
|
"nixbld:x:%1%:%1%:Nix build user:/:/noshell\n"
|
||||||
"nobody:x:65534:65534:Nobody:/:/noshell\n")
|
"nobody:x:65534:65534:Nobody:/:/noshell\n")
|
||||||
% (buildUser.enabled() ? buildUser.getUID() : getuid())).str());
|
% (buildUser.enabled() ? buildUser.getUID() : getuid())).str());
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue