Running a setuid-root binary inside a Nix sandbox does not actually set the uid to 0. For example whoami will report nixbld and security.wappers programs will crash with an assertion failure when detecting that the effective uid does not match the file uid.

Can reproduce either by calling /run/wrappers/bin/sudo in the sandbox (have to make it visible) or by running /run/as/root $(which id) with my little asroot NixOS module.

Seems to me like the allow-new-privileges option was added to make this work (#1429) but that this is not working with Nix from NixOS 18.09.

Notes:

• NixOS 18.09.
• Setuid binary on a filesystem that does not have nosetuid flag.
• Nix.conf includes allow-new-privileges = true.

Wild guess: Could this be due to userns sandboxing not providing a usable root user?