From d2261d590658f490971cd5cbfc41d0485b8e54f1 Mon Sep 17 00:00:00 2001
From: Adam Joseph <adam@westernsemico.com>
Date: Sun, 3 Apr 2022 15:42:52 -0700
Subject: [PATCH] src/libstore/globals.hh: documentation: no root needed if
 userns

On my Linux system with CONFIG_USER_NS=y and
/proc/sys/user/max_user_namespaces > 0, Nix is definitely doing
sandboxing.  I don't believe that giving root access to Nix is
required in order to get sandboxing in this case.
---
 src/libstore/globals.hh | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh
index feb6899cded..9e3ac57e627 100644
--- a/src/libstore/globals.hh
+++ b/src/libstore/globals.hh
@@ -406,10 +406,11 @@ public:
           not run in private network namespace to ensure they can access the
           network).
 
-          Currently, sandboxing only work on Linux and macOS. The use of a
-          sandbox requires that Nix is run as root (so you should use the
-          “build users” feature to perform the actual builds under different
-          users than root).
+          Currently, sandboxing only work on Linux and macOS. The use
+          of a sandbox requires that your system supports "user
+          namespaces" or else that Nix is run as root (so you should
+          use the “build users” feature to perform the actual builds
+          under different users than root).
 
           If this option is set to `relaxed`, then fixed-output derivations
           and derivations that have the `__noChroot` attribute set to `true`