src/libstore/globals.hh: documentation: no root needed if userns#6358
Conversation
On my Linux system with CONFIG_USER_NS=y and /proc/sys/user/max_user_namespaces > 0, Nix is definitely doing sandboxing. I don't believe that giving root access to Nix is required in order to get sandboxing in this case.
|
It does some sandboxing, but it can't be relied on a security feature since it doesn't run builds under a different uid. |
|
Thanks, I did not realize that nix was not using |
ghost
marked this pull request as draft
|
So, the root reason for this PR was that I noticed that the result of some builds depended on whether sandboxing was enabled (see NixOS/nixpkgs#166879). Note that this involved derivations which would succeed whether or not sandboxing was enabled -- but produce different results. A real headache. I assumed that sandboxing was an all-or-nothing bit that is either set or not. Since that bit affects the results of a build but does not affect the derivation, I wanted to document as clearly as possible the conditions under which the bit gets set/cleared. After digging more deeply into this, nix's sandboxing isn't just a bit. There appear to be multiple levels of sandboxing, and conceivably a build could behave differently at each of those levels. So, the problem isn't really a documentation problem. Or at least it can't be dealt with using documentation changes. |
ghost
closed this
1 participant
On my Linux system with CONFIG_USER_NS=y and
/proc/sys/user/max_user_namespaces > 0, Nix is definitely doing
sandboxing. I don't believe that giving root access to Nix is
required in order to get sandboxing in this case.