Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow numeric uids/gids in allowed-users and trusted-users #8510

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Allow numeric uids/gids in allowed-users and trusted-users #8510

wants to merge 4 commits into from

Conversation

edolstra
Copy link
Member

Motivation

Also, don't use whoami. It doesn't work when auto-uid-allocation is enabled and sandboxing is disabled, since then the build UID doesn't have a matching entry in /etc/passwd.

This also does some cleanups in PeerInfo, replacing the bool guards with std::optional. There was at least a theoretical possibility that we were using uninitialized uid/gid fields.

Context

Checklist for maintainers

Maintainers: tick if completed or explain if not relevant

  • agreed on idea
  • agreed on implementation strategy
  • tests, as appropriate
    • functional tests - tests/**.sh
    • unit tests - src/*/tests
    • integration tests - tests/nixos/*
  • documentation in the manual
  • documentation in the internal API docs
  • code and comments are self-explanatory
  • commit message explains why the change was made
  • new feature or incompatible change: updated release notes

Priorities

Add 👍 to pull requests you find important.

@github-actions github-actions bot added new-cli Relating to the "nix" command with-tests Issues related to testing. PRs with tests have some priority labels Jun 13, 2023
@cole-h
Copy link
Member

cole-h commented Jun 13, 2023

It might not make much of a difference, but whoami also fails on macOS when the sandbox is enabled when using auto-uid-allocation.

@cole-h
Copy link
Member

cole-h commented Jun 13, 2023

Also, this closes #8444.

@edolstra
Copy link
Member Author

@cole-h Yeah I was being imprecise. I meant Linux-style sandboxing, which macOS doesn't have. So it always fails on macOS and it fails on Linux when sandboxing is disabled.

@Ericson2314
Copy link
Member

Can we use unshare to test?

@Ericson2314
Copy link
Member

This is a nice thing, I hope we can get it merged soon!

@edolstra
PeerInfo: Use std::optional to make it safer
c8b1ff0
@edolstra
Support numeric UIDs/GIDs in trusted-users and allowed-users
b746191
@edolstra
Don't use whoami
1741f4d 
`whoami` doesn't work when auto-uid-allocation is enabled and
sandboxing is disabled, since then the build UID doesn't have a
matching entry in /etc/passwd.
@edolstra
Fix macOS build
6e3535f
@abathur
Copy link
Member

abathur commented Jul 3, 2024

Gentle ~bump on this since we're having to move our UID/GID on macOS for compatibility with the early Sequoia beta. It would be nice to get out of the permanent-user game before we need to move again :)

See:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
new-cli Relating to the "nix" command with-tests Issues related to testing. PRs with tests have some priority
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@edolstra @cole-h @Ericson2314 @abathur