From 51449d7a5197ee66a647d2e0cf4374aa6e850c4b Mon Sep 17 00:00:00 2001 From: Cole Helbling Date: Tue, 15 Jul 2025 09:56:07 -0700 Subject: [PATCH 1/2] external-derivation-builder: run under build user, chown topTmpDir to builder The chown to builder is necessary for granting the builder the ability to access its entire ancestry (which is required on macOS for things like mounting the build directory into a VM to work) while running under a build user. Eelco mentioned that the reason topTmpDir is generally 700 is because of how the Linux chroot is setup, but since we do not use a chroot on macOS, it's fine to make the build dir readable to the build user. --- .../unix/build/external-derivation-builder.cc | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/src/libstore/unix/build/external-derivation-builder.cc b/src/libstore/unix/build/external-derivation-builder.cc index 508ad45a3..79ce0ba45 100644 --- a/src/libstore/unix/build/external-derivation-builder.cc +++ b/src/libstore/unix/build/external-derivation-builder.cc @@ -29,9 +29,7 @@ struct ExternalDerivationBuilder : DerivationBuilderImpl bool prepareBuild() override { - // External builds don't use build users, so this always - // succeeds. - return true; + return DerivationBuilderImpl::prepareBuild(); } Path tmpDirInSandbox() override @@ -49,7 +47,12 @@ struct ExternalDerivationBuilder : DerivationBuilderImpl void prepareUser() override { - // Nothing to do here since we don't have a build user. + DerivationBuilderImpl::prepareUser(); + } + + void setUser() override + { + DerivationBuilderImpl::setUser(); } void checkSystem() override @@ -103,6 +106,10 @@ struct ExternalDerivationBuilder : DerivationBuilderImpl args.insert(args.end(), jsonFile); + chownToBuilder(topTmpDir); + + setUser(); + debug("executing external builder: %s", concatStringsSep(" ", args)); execv(externalBuilder.program.c_str(), stringsToCharPtrs(args).data()); From d3dc64b81138417290ac31f6fb9171d3778f1ad3 Mon Sep 17 00:00:00 2001 From: Cole Helbling Date: Tue, 15 Jul 2025 09:56:07 -0700 Subject: [PATCH 2/2] external-derivation-builder: chdir into tmpdir --- src/libstore/unix/build/external-derivation-builder.cc | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/libstore/unix/build/external-derivation-builder.cc b/src/libstore/unix/build/external-derivation-builder.cc index 79ce0ba45..a393d75d9 100644 --- a/src/libstore/unix/build/external-derivation-builder.cc +++ b/src/libstore/unix/build/external-derivation-builder.cc @@ -106,6 +106,9 @@ struct ExternalDerivationBuilder : DerivationBuilderImpl args.insert(args.end(), jsonFile); + if (chdir(tmpDir.c_str()) == -1) + throw SysError("changing into '%1%'", tmpDir); + chownToBuilder(topTmpDir); setUser();