Skip to content

Can't execute setuid binaries in Nix 1.11.10+ #1429

New issue
New issue
Closed
Closed
Can't execute setuid binaries in Nix 1.11.10+#1429
@rimmington

Description

@rimmington
rimmington
opened on Jun 30, 2017

From what I understand, seccomp rules prevent the creation of setuid binaries in Nix 1.10+. However I didn't read anything about preventing execution of setuid binaries in Nix. We're using sudo to set up containers in Hydra for integration testing, and an upgrade caused our tests to start failing (we ended up downgrading). I can replicate the issue in a VM fairly easily.

With a VM provisioned (via vagrant-nixos-plugin) with Nixpkgs 49e8512100ce12b5990a1bf5371d4d1c558962ab:

[vagrant@nixos:~]$ nix-build --version
nix-build (Nix) 1.11.9

[vagrant@nixos:~]$ nix-build -E 'with import <nixpkgs> {}; runCommand "test" {} "/run/wrappers/bin/sudo echo hello"'
these derivations will be built:
  /nix/store/achlrszr10jifl3iz814s0d8ybxh94nv-test.drv
building path(s) ‘/nix/store/4jdxy3dkvpahax56wysnfss80rcsnb0g-test’
sudo: no tty present and no askpass program specified
builder for ‘/nix/store/achlrszr10jifl3iz814s0d8ybxh94nv-test.drv’ failed with exit code 1
error: build of ‘/nix/store/achlrszr10jifl3iz814s0d8ybxh94nv-test.drv’ failed

[nix-shell:~]$ nix-build -E 'with import <nixpkgs> {}; runCommand "test" {} "/run/wrappers/bin/ping -c 1 google.com"'
these derivations will be built:
  /nix/store/qx6caxlgz6c4wmgfapxwmx7r0x7n2snz-test.drv
building path(s) ‘/nix/store/vnygr4hjxfjy8hx3lvr17jqgmgli3k92-test’
PING google.com (216.58.196.142) 56(84) bytes of data.

--- google.com ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms

builder for ‘/nix/store/qx6caxlgz6c4wmgfapxwmx7r0x7n2snz-test.drv’ failed with exit code 1
error: build of ‘/nix/store/qx6caxlgz6c4wmgfapxwmx7r0x7n2snz-test.drv’ failed

With Nixpkgs 7a76e259c88ad5ea6807ed70af51d9196195c690:

[nix-shell:~]$ nix-build --version
nix-build (Nix) 1.11.10

[vagrant@nixos:~]$ nix-build -E 'with import <nixpkgs> {}; runCommand "test" {} "/run/wrappers/bin/sudo echo hello"'
these derivations will be built:
  /nix/store/achlrszr10jifl3iz814s0d8ybxh94nv-test.drv
building path(s) ‘/nix/store/4jdxy3dkvpahax56wysnfss80rcsnb0g-test’
sudo: /nix/store/3xsjm8rfpy0ysfjs1pcybj33fsigszgp-wrapper.c:203: main: Assertion `!(st.st_mode & S_ISUID) || (st.st_uid == geteuid())' failed.
/tmp/nix-build-test.drv-0/.attr-0: line 1:  9463 Aborted                 /run/wrappers/bin/sudo echo hello
builder for ‘/nix/store/achlrszr10jifl3iz814s0d8ybxh94nv-test.drv’ failed with exit code 134
error: build of ‘/nix/store/achlrszr10jifl3iz814s0d8ybxh94nv-test.drv’ failed

[vagrant@nixos:~]$ nix-build -E 'with import <nixpkgs> {}; runCommand "test" {} "/run/wrappers/bin/ping -c 1 google.com"'
these derivations will be built:
  /nix/store/qx6caxlgz6c4wmgfapxwmx7r0x7n2snz-test.drv
building path(s) ‘/nix/store/vnygr4hjxfjy8hx3lvr17jqgmgli3k92-test’
cannot raise the capability into the Ambient set
: Operation not permitted
builder for ‘/nix/store/qx6caxlgz6c4wmgfapxwmx7r0x7n2snz-test.drv’ failed with exit code 1
error: build of ‘/nix/store/qx6caxlgz6c4wmgfapxwmx7r0x7n2snz-test.drv’ failed

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions