You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
If either you or the nix daemon set the real nix store path then setting sandbox = false or sandbox = relaxed have no effect. The same is true for command line flags.
With any of these store paths (non-inclusive)
--store /path/to/store
--store "local?real=/path/to/store"
Disables without any error message these flags
--option sandbox false
--option sandbox relaxed
--no-sandbox
Steps To Reproduce
This fails, despite you having full control over the nix store
BUT It also fails if the daemon was set with a real store path.
# as root
systemctl stop nix-daemon.socket nix-daemon.service
MY_NIX_ROOT=$(mktemp -d)
nix daemon --store $MY_NIX_ROOT
# in another shell.
nix-build \
--option sandbox relaxed \
--store unix:///nix/var/nix/daemon-socket/socket \
-E 'derivation { name = "foo"; system = builtins.currentSystem; builder = "/usr/bin/bash"; args = [ "-c" "echo '$RANDOM' > $out" ]; __noChroot = true; }'
# For completeness this also fails
nix-build \
--option sandbox relaxed \
--store "unix:///nix/var/nix/daemon-socket/socket?real=$MY_NIX_ROOT" \
-E 'derivation { name = "foo"; system = builtins.currentSystem; builder = "/usr/bin/bash"; args = [ "-c" "echo '$RANDOM' > $out" ]; __noChroot = true; }'
NOTE: $RANDOM is not escaped in these examples so we get a different derivation each time for testing.
NOTE: Note we set the builder to /usr/bin/bash, as that is likely not to be in the nix sandbox. Changing it to /bin/sh would make all these tests pass because that is in the sandbox, but you still could not access files outside the sandbox.
Expected behavior
I would expect all of the above to behave the same. It is surprising you cannot disable the sandbox when you fully own the nix store already.
Describe the bug
If either you or the nix daemon set the real nix store path then setting
sandbox = false
orsandbox = relaxed
have no effect. The same is true for command line flags.With any of these store paths (non-inclusive)
--store /path/to/store
--store "local?real=/path/to/store"
Disables without any error message these flags
--option sandbox false
--option sandbox relaxed
--no-sandbox
Steps To Reproduce
This fails, despite you having full control over the nix store
This succeeds as long as you are trusted or the daemon does not have
--store /path/
or--store ...?real=/path
This also succeeds as long as the daemon does not change it's real store
BUT It also fails if the daemon was set with a real store path.
NOTE: $RANDOM is not escaped in these examples so we get a different derivation each time for testing.
NOTE: Note we set the builder to
/usr/bin/bash
, as that is likely not to be in the nix sandbox. Changing it to/bin/sh
would make all these tests pass because that is in the sandbox, but you still could not access files outside the sandbox.Expected behavior
I would expect all of the above to behave the same. It is surprising you cannot disable the sandbox when you fully own the nix store already.
nix-env --version
outputTested on
Priorities
Add 👍 to issues you find important.
The text was updated successfully, but these errors were encountered: