Change the Nix build users to have no supplementary group.

For details, see: http://thread.gmane.org/gmane.linux.distributions.nixos/3264 http://thread.gmane.org/gmane.linux.distributions.nixos/3263/focus=3289 svn path=/nixos/trunk/; revision=18918
2009-12-13 15:29:42 +00:00 · 2009-12-13 15:29:42 +00:00 · 83d657b102
commit 83d657b102
parent 4d7e344f69
1 changed files with 18 additions and 3 deletions
--- a/modules/config/users-groups.nix
+++ b/modules/config/users-groups.nix
@ -23,14 +23,19 @@ let
            description = "Unprivileged account (don't use!)";
          }
        ];
-      
+
      makeNixBuildUser = nr:
        { name = "nixbld${toString nr}";
          description = "Nix build user ${toString nr}";
+
+          /* For consistency with the setgid(2), setuid(2), and setgroups(2)
+             calls in `libstore/build.cc', don't add any supplementary group
+             here.  */
          uid = builtins.add ids.uids.nixbld nr;
-          extraGroups = ["nixbld"];
+          group = "nixbld";
+          extraGroups = [];
        };
-        
+
      nixBuildUsers = map makeNixBuildUser (pkgs.lib.range 1 10);
      
      addAttrs =
@ -208,6 +213,16 @@ in
                    --groups "$extraGroups" \
                    ''${home:+--home "$home"} \
                    --shell "$shell"
+                if test -z "$extraGroups"
+                then
+                    # Make sure the user is listed as belonging to its
+                    # primary group when it has no supplementary groups.  The
+                    # main reason is to have the `nixbld[0-9]' users be
+                    # listed as `nixbld' members; this allows `nix-store' to
+                    # get the UIDs of all the build users by doing a
+                    # getprnam("nixbld") call.
+                    groupmod "$group" -A "$name"
+                fi
            fi

        done