Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot disable the use of the sandbox with --store /path/ #11499

Open
georgyo opened this issue Sep 13, 2024 · 0 comments
Open

Cannot disable the use of the sandbox with --store /path/ #11499

georgyo opened this issue Sep 13, 2024 · 0 comments
Labels
bug

Comments

@georgyo
Copy link
Member

georgyo commented Sep 13, 2024

Describe the bug
If either you or the nix daemon set the real nix store path then setting sandbox = false or sandbox = relaxed have no effect. The same is true for command line flags.

With any of these store paths (non-inclusive)

  • --store /path/to/store
  • --store "local?real=/path/to/store"

Disables without any error message these flags

  • --option sandbox false
  • --option sandbox relaxed
  • --no-sandbox

Steps To Reproduce

This fails, despite you having full control over the nix store

nix-build \
  --option sandbox relaxed \
  --store $HOME/nix \
  -E 'derivation { name = "foo"; system = builtins.currentSystem; builder = "/usr/bin/bash"; args = [ "-c" "echo '$RANDOM' > $out" ]; __noChroot = true; }'

This succeeds as long as you are trusted or the daemon does not have --store /path/ or --store ...?real=/path

nix-build \
  --option sandbox relaxed \
  -E 'derivation { name = "foo"; system = builtins.currentSystem; builder = "/usr/bin/bash"; args = [ "-c" "echo '$RANDOM' > $out" ]; __noChroot = true; }'

This also succeeds as long as the daemon does not change it's real store

nix-build \
  --option sandbox relaxed \
  --store unix:///nix/var/nix/daemon-socket/socket \
  -E 'derivation { name = "foo"; system = builtins.currentSystem; builder = "/usr/bin/bash"; args = [ "-c" "echo '$RANDOM' > $out" ]; __noChroot = true; }'

BUT It also fails if the daemon was set with a real store path.

# as root
systemctl stop nix-daemon.socket nix-daemon.service
MY_NIX_ROOT=$(mktemp -d)
nix daemon --store $MY_NIX_ROOT

# in another shell.
nix-build \
  --option sandbox relaxed \
  --store unix:///nix/var/nix/daemon-socket/socket \
  -E 'derivation { name = "foo"; system = builtins.currentSystem; builder = "/usr/bin/bash"; args = [ "-c" "echo '$RANDOM' > $out" ]; __noChroot = true; }'
  
 # For completeness this also fails
 nix-build \
  --option sandbox relaxed \
  --store "unix:///nix/var/nix/daemon-socket/socket?real=$MY_NIX_ROOT" \
  -E 'derivation { name = "foo"; system = builtins.currentSystem; builder = "/usr/bin/bash"; args = [ "-c" "echo '$RANDOM' > $out" ]; __noChroot = true; }'

NOTE: $RANDOM is not escaped in these examples so we get a different derivation each time for testing.

NOTE: Note we set the builder to /usr/bin/bash, as that is likely not to be in the nix sandbox. Changing it to /bin/sh would make all these tests pass because that is in the sandbox, but you still could not access files outside the sandbox.

Expected behavior

I would expect all of the above to behave the same. It is surprising you cannot disable the sandbox when you fully own the nix store already.

nix-env --version output

Tested on

  • nix-env (Nix) 2.19.4
  • nix-env (Nix) 2.23.3
  • nix-env (Nix) 2.25.0pre20240813_049d091

Priorities

Add 👍 to issues you find important.
@georgyo georgyo added the bug label Sep 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@georgyo