GNU bug report logs - #78256
[PATCH] daemon: Use the actual overflow UID and GID in /etc/passwd.

Previous Next

Full log

View this message in rfc822 format

From: Ludovic Courtès <ludo <at> gnu.org>
To: keinflue <keinflue <at> posteo.net>
Cc: 78256 <at> debbugs.gnu.org
Subject: [bug#78256] [PATCH] daemon: Use the actual overflow UID and GID in /etc/passwd.
Date: Fri, 23 May 2025 11:26:12 +0200

Hello,

keinflue <keinflue <at> posteo.net> writes:

> On 05.05.2025 10:59, Ludovic Courtès wrote:
>> Partly fixes <https://issues.guix.gnu.org/77862>.
>> * nix/libstore/build.cc (fileContent, overflowUID, overflowGID): New
>> functions.
>> (DerivationGoal::startBuilder): Use them to populate /etc/passwd when
>> ‘buildUser.enabled()’ is false.
>> Reported-by: keinflue <keinflue <at> posteo.net>
>> Change-Id: I695c697629c739d096933274c1c8a70d08468d4a

Thanks for your comments on the C++ code.

> In general, after some more thoughts about it, I am not really sure
> that the ids of "nobody" must reflect the overflowids. It seems that
> this user/group name has/had multiple different purposes and it is not
> clear to me which one exactly is intended for the build environment.

Yeah actually I wonder.  I think the main goal here was to have an entry
for “nobody” in /etc/passwd, probably because there exists code out
there that assumes that “nobody” exists, but most likely its UID doesn’t
matter much.

Build processes can see files whose group is the overflow GID (as we’ve
discussed regarding supplementary groups) but I believe it cannot see
file whose owner is the overflow UID, right?  In that case, this patch
doesn’t even provide a useful UID-to-name mapping.

Thanks,
Ludo’.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.