daemon: Use the guest GID in /etc/group.

Partly fixes <https://issues.guix.gnu.org/77862>. Fixes a bug whereby, when running guix-daemon unprivileged, /etc/group would contain the wrong GID for the “nixbld” group. This inconsistency would lead to failures in the Coreutils test suite, for instance. * nix/libstore/build.cc (DerivationGoal::startBuilder): Use ‘guestGID’ when writing /etc/group. * tests/store.scm ("/etc/passwd and /etc/group"): New test. Reported-by: keinflue <keinflue@posteo.net> Change-Id: I739bc96c4c935fd9015a45e2bfe5b3e3f90554a9
2025-10-02 02:15:12 +00:00 · 2025-04-25 20:17:17 +02:00 · 2025-04-25 20:17:17 +02:00 · 0d3bc50b0c
commit 0d3bc50b0c
parent 5529636006
2 changed files with 23 additions and 1 deletions
--- a/nix/libstore/build.cc
+++ b/nix/libstore/build.cc
@ -1854,7 +1854,7 @@ void DerivationGoal::startBuilder()
           view of the system (e.g., "id -gn"). */
        writeFile(chrootRootDir + "/etc/group",
            (format("nixbld:!:%1%:\n")
-                % (buildUser.enabled() ? buildUser.getGID() : getgid())).str());
+                % (buildUser.enabled() ? buildUser.getGID() : guestGID)).str());

        /* Create /etc/hosts with localhost entry. */
        if (!fixedOutput)
--- a/tests/store.scm
+++ b/tests/store.scm
@ -443,6 +443,28 @@
    (and (build-derivations %store (list d))
         (call-with-input-file o get-string-all))))

+(unless (unprivileged-user-namespace-supported?)
+  (test-skip 1))
+(test-equal "/etc/passwd and /etc/group"
+  '((name "nixbld")
+    (uid 30001)
+    (gid 30000)
+    (group-name "nixbld"))
+  (let ((d (build-expression->derivation
+            %store "passwd-group-check"
+            `(call-with-output-file %output
+               (lambda (port)
+                 ',(gettimeofday)
+                 (let ((pw (getpwuid (getuid)))
+                       (gr (getgrgid (getgid))))
+                   (write `((name ,(passwd:name pw))
+                            (uid ,(passwd:uid pw))
+                            (gid ,(passwd:gid pw))
+                            (group-name ,(group:name gr)))
+                          port)))))))
+    (build-derivations %store (list d))
+    (call-with-input-file (derivation->output-path d) read)))
+
 (unless (unprivileged-user-namespace-supported?)
  (test-skip 1))
 (test-equal "inputs are read-only"