fixed-output derivations: fix incorrect responses for getpwuid

[illustris]

Passing nscd socket into the build environment causes unexpected behavior in programs that make getpwuid and other related calls.

relevant threads:

• Bind mounting nscd socket in the sandbox causes getpwuid to return the wrong user #4991
• https://discourse.nixos.org/t/haunted-nix-build-breaks-isolation/13869

[edolstra]

No, we need the nscd socket to do DNS lookups etc. (see b6b142b).

[illustris]

Yes, b6b142b was mentioned in the issue associated with this PR ( #4991 ). This was necessary back when you made this change because of

nix/src/libstore/build.cc

Line 2340 in b6b142b

ss.push_back("/etc/nsswitch.conf");

DNS resolution was failing because your machine's /etc/nsswitch.conf could not be satisfied inside the build env.

This was changed to

nix/src/libstore/build/local-derivation-goal.cc

Line 1752 in 7bc17a9

writeFile(chrootRootDir + "/etc/nsswitch.conf", "hosts: files dns\nservices: files\n");

later, making the socket unnecessary.

As mentioned in #4991, the absence of this socket no longer breaks fixed output derivations (verified with nix master), and its presence breaks any program that makes getpwuid() calls, like git and maven.

[edolstra]

Thanks, makes sense!

[hmenke]

This should also receive a backport to 2.3-maintenance. Possible patch:

--- a/src/libstore/build.cc
+++ b/src/libstore/build.cc
@@ -2841,8 +2841,6 @@ void DerivationGoal::runChild()
 
                 ss.push_back("/etc/services");
                 ss.push_back("/etc/hosts");
-                if (pathExists("/var/run/nscd/socket"))
-                    ss.push_back("/var/run/nscd/socket");
             }
 
             for (auto & i : ss) dirsInChroot.emplace(i, i);

[illustris]

I was trying to do this, but nixStable is failing to build on nixpkgs master when I give it the repo as src. Tarball works. The contents of the repo and tarball release are not the same.

[illustris@illustris-thinkpad:~/src/nix]$ ls ~/src/nix-tarball/nix-2.3.12
bootstrap.sh  config  config.h.in  configure  configure.ac  contrib  COPYING  corepkgs  doc  local.mk  m4  maintainers  Makefile  Makefile.config.in  misc  mk  nix.spec  nix.spec.in  perl  README.md  release-common.nix  release.nix  scripts  shell.nix  src  tests
[illustris@illustris-thinkpad:~/src/nix]$ ls
bootstrap.sh  config  configure.ac  contrib  COPYING  corepkgs  doc  local.mk  m4  maintainers  Makefile  Makefile.config.in  misc  mk  nix.spec.in  perl  README.md  release-common.nix  release.nix  scripts  shell.nix  src  tests
[illustris@illustris-thinkpad:~/src/nix]$ git status
HEAD detached at 2.3.12
nothing to commit, working tree clean

Anyone know what's going on here?

[hmenke]

I can't tell you exactly “what's going on here”, but for 2.3 you have to build the source tarball using

nix-build release.nix -A tarball

This essentially just runs autoreconf on the source tree to generate the configure scripts.

[illustris]

PR at #5013
tested the same default.nix mentioned in #4991. Are there any automated tests for nix? didn't find anything in nixpkgs.
EDIT: nvm... found tests