On 03/05/2017 05:39 PM, Tim Dempsey wrote:
Is it possible to specify additional groups when entering a
buildFHSUserEnv? I have a prepackage binary that needs access to a usb
serial device and when i enter the environment using nix-shell I end
up with the following groups: users, nobody. At minimum, I would like
to add the dialout group but ideally an option to pass my current
groups into the env would be great. If I use sudo nix-shell it works
of course but seems like an awful big hammer. :)
See user namespaces(7)[1]:
+ In the case of gid_map, use of the setgroups(2) system call
must first be denied by writing "deny" to the
/proc/[pid]/setgroups file (see below) before writing to
gid_map.
i.e. you can't set supplemental groups in an unprivileged user
namespace. I don't remember exact cause of this (it's security-related),
it started with Linux 3.19[2].
So, sadly, this is not possible without sudo.
1: http://man7.org/linux/man-pages/man7/user_namespaces.7.html
2:
https://github.com/NixOS/nixpkgs/blob/master/pkgs/build-support/build-fhs-userenv/chroot-user.rb#L117
--
Nikolay.
_______________________________________________
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev
