nscd works in fixed-output derivations

[dasJ]

Describe the bug

When using a fixed-output derivation which calls getpwnam, the host's nscd responds to the request, resulting in wrong results.

Steps To Reproduce

{ stdenvNoCC }:
stdenvNoCC.mkDerivation {
  name = "example";

  dontUnpack = true;

  configurePhase = ''
    id
  '';

  outputHashMode = "flat";
  outputHashAlgo = "sha256";
  outputHash = "0000000000000000000000000000000000000000000000000000";
}

When building that derivation, your local user name is shown, while nixbld is shown when not building a FOD.

Expected behavior

Access to nscd should be disabled even with FODs.

nix-env --version output

nix-env (Nix) 2.4pre20200521_00b562c

Additional context

I was able to work around that problem by creating a LD_PRELOAD so file that calls __nss_disable_nscd() before running main().
Sources here: https://github.com/dasJ/nscd-disable/

[Ericson2314]

Hmm https://github.com/NixOS/nix/pull/2975/files was supposed to fix this, CC @matthewbauer

[matthewbauer]

Could you run a strace to see if nsswitch.conf is even being read? It’s possible there is some default for passwd that we need to explicitly disable.

Since we make the nscd socket available there’s nothing really blocking a program from manually talking to it.

[dasJ]

Looks like id was a bad example. It doesn't seem to read anything from /etc:

configuring
++ /nix/store/yc52vh5nr3hddx7wvj6wmqj396669bs9-strace-5.5/bin/strace -fs5000 id
++ grep etc
access("/etc/ld-nix.so.preload", R_OK)  = -1 ENOENT (No such file or directory)