mirror of
https://github.com/NixOS/nix.git
synced 2025-11-15 23:12:44 +01:00
5a794d9366
If you have the Nix store mounted from a nonlocal filesystem whose exporter is not running as root, making the directory mode 000 makes it inaccessible to that remote unprivileged user and therefore breaks the build. (Specifically, I am running into this with a virtiofs mount using Apple Virtualization.framework as a non-root user, but I expect the same thing would happen with virtiofs in qemu on Linux as a non-root user or with various userspace network file servers.) Make the directory mode 500 (dr-x------) to make the sandbox work in this use case, which explicitly conveys our intention to read and search the directory. The code only works because root can already bypass directory checks, so this does not actually grant more permissions to the directory owner / does not make the sandbox less secure. |
||
|---|---|---|
| .. | ||
| build | ||
| meson.build | ||
| pathlocks.cc | ||
| user-lock.cc | ||
| user-lock.hh | ||