Create escape hatch for supplementary group sandboxing woes

There is no obvious good solution for this that has occured to anyone.
2025-12-03 23:51:00 +01:00 · 2023-05-08 14:41:47 -04:00 · 2023-05-08 14:41:47 -04:00 · 6d1aa523de
commit 6d1aa523de
parent 4539ab530a
2 changed files with 23 additions and 9 deletions
--- a/src/libstore/build/local-derivation-goal.cc
+++ b/src/libstore/build/local-derivation-goal.cc
@ -907,15 +907,10 @@ void LocalDerivationGoal::startBuilder()
            openSlave();

            /* Drop additional groups here because we can't do it
-               after we've created the new user namespace.  FIXME:
-               this means that if we're not root in the parent
-               namespace, we can't drop additional groups; they will
-               be mapped to nogroup in the child namespace. There does
-               not seem to be a workaround for this. (But who can tell
-               from reading user_namespaces(7)?)
-               See also https://lwn.net/Articles/621612/. */
-            if (getuid() == 0 && setgroups(0, 0) == -1)
-                throw SysError("setgroups failed");
+               after we've created the new user namespace. */
+            if (settings.dropSupplementaryGroups)
+                if (setgroups(0, 0) == -1)
+                    throw SysError("setgroups failed");

            ProcessOptions options;
            options.cloneFlags = CLONE_NEWPID | CLONE_NEWNS | CLONE_NEWIPC | CLONE_NEWUTS | CLONE_PARENT | SIGCHLD;