public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Change the Nix build users to have no supplementary group.

Browse Source 
For details, see:
http://thread.gmane.org/gmane.linux.distributions.nixos/3264
http://thread.gmane.org/gmane.linux.distributions.nixos/3263/focus=3289

svn path=/nixos/trunk/; revision=18918
This commit is contained in:
Ludovic Courtès 2009-12-13 15:29:42 +00:00
parent 4d7e344f69
commit 83d657b102
1 changed files with 18 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
modules/config/users-groups.nix
View File

@ -23,14 +23,19 @@ let
description = "Unprivileged account (don't use!)"; description = "Unprivileged account (don't use!)";
} }
]; ];
makeNixBuildUser = nr: makeNixBuildUser = nr:
{ name = "nixbld${toString nr}"; { name = "nixbld${toString nr}";
description = "Nix build user ${toString nr}"; description = "Nix build user ${toString nr}";
/* For consistency with the setgid(2), setuid(2), and setgroups(2)
calls in `libstore/build.cc', don't add any supplementary group
here. */
uid = builtins.add ids.uids.nixbld nr; uid = builtins.add ids.uids.nixbld nr;
extraGroups = ["nixbld"]; group = "nixbld";
extraGroups = [];
}; };
nixBuildUsers = map makeNixBuildUser (pkgs.lib.range 1 10); nixBuildUsers = map makeNixBuildUser (pkgs.lib.range 1 10);
addAttrs = addAttrs =
@ -208,6 +213,16 @@ in
--groups "$extraGroups" \ --groups "$extraGroups" \
''${home:+--home "$home"} \ ''${home:+--home "$home"} \
--shell "$shell" --shell "$shell"
if test -z "$extraGroups"
then
# Make sure the user is listed as belonging to its
# primary group when it has no supplementary groups. The
# main reason is to have the `nixbld[0-9]' users be
# listed as `nixbld' members; this allows `nix-store' to
# get the UIDs of all the build users by doing a
# getprnam("nixbld") call.
groupmod "$group" -A "$name"
fi
fi fi
done done