GNU bug report logs - #77862
guix-daemon run as non-root sets up /etc/group incorrectly in build container

Message received at 77862 <at> debbugs.gnu.org:

Received: (at 77862) by debbugs.gnu.org; 19 Apr 2025 11:19:09 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Apr 19 07:19:09 2025
Received: from localhost ([127.0.0.1]:58950 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1u66Dy-00088Q-2j
	for submit <at> debbugs.gnu.org; Sat, 19 Apr 2025 07:19:09 -0400
Received: from mout01.posteo.de ([185.67.36.65]:53501)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <keinflue@HIDDEN>)
 id 1u66Dr-000864-Lw
 for 77862 <at> debbugs.gnu.org; Sat, 19 Apr 2025 07:19:03 -0400
Received: from submission (posteo.de [185.67.36.169]) 
 by mout01.posteo.de (Postfix) with ESMTPS id 33B35240027
 for <77862 <at> debbugs.gnu.org>; Sat, 19 Apr 2025 13:18:52 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017;
 t=1745061533; bh=u41wj5gqkR17qOffRrqKQKTQ/byqKw8Oh31b6QSu4RY=;
 h=MIME-Version:Date:From:To:Cc:Subject:Message-ID:Content-Type:
 Content-Transfer-Encoding:From;
 b=Fipf/4PUaLRRuXTLuG03vy6uHG2GukTsdAzVcxlcYHeqeWPaY5AxLuE8OHcBsFmtK
 xkkg82fEX9LbJtRuqN6bYs/Tyd4gGX/tzSvjpeXytRJj6s7HVdMGOMOmtdqVigfNe6
 i/l3AoZ3Rmje2QofXfVXnur1Z1f/Mw2mdzbe9mLzFWOeeoPAEJUa8WcKPe3SJOrBBG
 FCT8NNp2XrugG/ynjXWe95qualPdvJ1tjeiRObJ7YluRyVviEOetZWQHerDY5+ab/d
 OhdJUmmxM1WO5p6nN3lR3mrd3N7yHyyYpR1xvVWnBOQWcErtooc/ReAgn8nAOTN9Ox
 AhQVYg81jApQQ==
Received: from customer (localhost [127.0.0.1])
 by submission (posteo.de) with ESMTPSA id 4Zfpzc00Cvz6tsb;
 Sat, 19 Apr 2025 13:18:51 +0200 (CEST)
MIME-Version: 1.0
Date: Sat, 19 Apr 2025 11:18:51 +0000
From: keinflue <keinflue@HIDDEN>
To: =?UTF-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN>
Subject: Re: guix-daemon run as non-root sets up /etc/group incorrectly in
 build container
In-Reply-To: <87a58e3f4q.fsf@HIDDEN>
References: <86b5c54e8412686790b6bf50525a6231@HIDDEN>
 <878qny530h.fsf@HIDDEN> <936405d1bcbed15df2266c30cfc4ca33@HIDDEN>
 <87a58e3f4q.fsf@HIDDEN>
Message-ID: <8c2080a3681e7d2e1d38bb4d3e1463d0@HIDDEN>
Content-Type: text/plain; charset=UTF-8;
 format=flowed
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 77862
Cc: 77862 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

I can confirm that the patch resolves the particular failing test.

However I overlooked that there are other failing tests:

> FAIL: tests/chgrp/default-no-deref.sh
> FAIL: tests/chgrp/no-x.sh
> FAIL: tests/chgrp/posix-H.sh
> FAIL: tests/chgrp/recurse.sh
> FAIL: tests/chgrp/basic.sh

Here is an example of the failures:

> + require_membership_in_two_groups_
> + test 0 =3D 0
> + groups=3D'30000 65534'
> + case "$groups" in
> + require_local_dir_
> + require_mount_list_
> + local 'mount_list_fail=3Dcannot read table of mounted file systems'
> + df --local
> + grep -F 'cannot read table of mounted file systems'
> + is_local_dir_ .
> + test 1 =3D 1
> + df --local .
> + set _ 30000 65534
> + shift
> + g2=3D65534
> + mkdir d
> + touch f
> + ln -s ../f d/s
> ++ stat --printf=3D%g f
> + g_init=3D30000
> + chgrp -R 65534 d
> chgrp: changing group of 'd/s': Invalid argument
> chgrp: changing group of 'd': Invalid argument
> + fail=3D1
> ++ stat --printf=3D%g f
> + test 30000 =3D 30000
> + Exit 1
> + set +e
> + exit 1
> + exit 1
> + remove_tmp_
> + __st=3D1
> + cleanup_
> + :
> + test '' =3D yes
> + cd /tmp/guix-build-coreutils-9.1.drv-0/coreutils-9.1
> + chmod -R u+rwx=20
> /tmp/guix-build-coreutils-9.1.drv-0/coreutils-9.1/gt-default-no-deref.sh=
=2EAEHe
> + rm -rf=20
> /tmp/guix-build-coreutils-9.1.drv-0/coreutils-9.1/gt-default-no-deref.sh=
=2EAEHe
> + exit 1
> FAIL tests/chgrp/default-no-deref.sh (exit status: 1)

I think this happens if the user running guix-daemon has supplementary=20
groups. These are not mapped via /proc/gid_map in the build container=20
and therefore are reported as the overflow gid (65534) by getgroups.

The test cases assume that they can change ownership to this additional=20
group but that is not permitted on the overflow gid.

I think supplementary groups should be dropped in the user namespace for=20
the build container to make the behavior reproducible. Unfortunately=20
this may be impossible if the parent namespace has set=20
/proc/[...]/setgroups to "deny".

Best,
keinflue

On 17.04.2025 18:51, Ludovic Court=C3=A8s wrote:
> keinflue <keinflue@HIDDEN> writes:
>=20
>> Here are excerpts from the build log:
>=20
> Thanks.
>=20
>> Unfortunately I made a mistake and accidentally lost the container in
>> which I tried this, so I can not verify right now whether the patch
>> actually resolves the issue.
>>=20
>> It might take me a day or two to restore it.
>=20
> No worries, I=E2=80=99ll wait for your feedback.
>=20
>> This happened either during or shortly after bootstrap builds, so I
>> don't know whether this was the final coreutils package or one from
>> commencement.scm.
>=20
> OK.
>=20
> If you have a setup for full rebuilds (no substitutes) running in a
> container, I=E2=80=99m curious to learn more about it!
>=20
> Ludo=E2=80=99.

Message received at 77862 <at> debbugs.gnu.org:

Received: (at 77862) by debbugs.gnu.org; 17 Apr 2025 19:49:32 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Apr 17 15:49:32 2025
Received: from localhost ([127.0.0.1]:48476 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1u5VEl-0000ew-Rs
	for submit <at> debbugs.gnu.org; Thu, 17 Apr 2025 15:49:31 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:48212)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <ludo@HIDDEN>) id 1u5VEg-0000cu-3H
 for 77862 <at> debbugs.gnu.org; Thu, 17 Apr 2025 15:49:24 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ludo@HIDDEN>)
 id 1u5VEY-0001ai-AP; Thu, 17 Apr 2025 15:49:14 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To:
 From; bh=wYU0GrV6wjpP3OK4HOtcXzEamjhNihygC99zgCwo9aA=; b=oA7R+wOLhyA4wT1I2gRF
 Sq/WSXHmvOtlS3Stlplzg56BpjDWeru9PYkjNd99xtzmTNFeVI9JrSA1N94TpanSUG9PhOo2pdUVz
 zBE16xad0QtqqnQ/C86z1/6pVLestnm6ynK8F3c3BPQFakSyXNRzFd8Hud5Pwwl7u18bfmtdNiulN
 mYaWEo6xMDsYVRVOLPR/31TwRsZ9Atp1clJR/cob6vfUnNobkVnRYDXECjQqpCydPCm2p0cyyhirm
 cPshRmYvna01KVS65mbHkFsEA4u0NDANqkq3mWKn6gHUa4Z6y7g3sAfrFlfvbXDM/5VSDrMHHPx1G
 xLA59GtXt5d5NA==;
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN>
To: keinflue <keinflue@HIDDEN>
Subject: Re: guix-daemon run as non-root sets up /etc/group incorrectly in
 build container
In-Reply-To: <936405d1bcbed15df2266c30cfc4ca33@HIDDEN>
 (keinflue@HIDDEN's message of "Thu, 17 Apr 2025 15:36:32 +0000")
References: <86b5c54e8412686790b6bf50525a6231@HIDDEN>
 <878qny530h.fsf@HIDDEN> <936405d1bcbed15df2266c30cfc4ca33@HIDDEN>
User-Agent: mu4e 1.12.9; emacs 29.4
X-URL: https://people.bordeaux.inria.fr/lcourtes/
X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5
X-OS: x86_64-pc-linux-gnu
X-Revolutionary-Date: Octidi 28 Germinal an 233 de la =?utf-8?Q?R=C3=A9vol?=
 =?utf-8?Q?ution=2C?= jour de la =?utf-8?Q?Pens=C3=A9e?=
Date: Thu, 17 Apr 2025 18:51:49 +0200
Message-ID: <87a58e3f4q.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 77862
Cc: 77862 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

keinflue <keinflue@HIDDEN> writes:

> Here are excerpts from the build log:

Thanks.

> Unfortunately I made a mistake and accidentally lost the container in
> which I tried this, so I can not verify right now whether the patch
> actually resolves the issue.
>
> It might take me a day or two to restore it.

No worries, I=E2=80=99ll wait for your feedback.

> This happened either during or shortly after bootstrap builds, so I
> don't know whether this was the final coreutils package or one from
> commencement.scm.

OK.

If you have a setup for full rebuilds (no substitutes) running in a
container, I=E2=80=99m curious to learn more about it!

Ludo=E2=80=99.

Message received at 77862 <at> debbugs.gnu.org:

Received: (at 77862) by debbugs.gnu.org; 17 Apr 2025 15:36:45 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Apr 17 11:36:45 2025
Received: from localhost ([127.0.0.1]:48146 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1u5RIC-0004r0-66
	for submit <at> debbugs.gnu.org; Thu, 17 Apr 2025 11:36:44 -0400
Received: from mout02.posteo.de ([185.67.36.66]:47725)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <keinflue@HIDDEN>)
 id 1u5RI8-0004pz-BG
 for 77862 <at> debbugs.gnu.org; Thu, 17 Apr 2025 11:36:41 -0400
Received: from submission (posteo.de [185.67.36.169]) 
 by mout02.posteo.de (Postfix) with ESMTPS id 0E237240101
 for <77862 <at> debbugs.gnu.org>; Thu, 17 Apr 2025 17:36:33 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017;
 t=1744904194; bh=sEwaj+QNX/WrZTfR/JqlI2Kus3utizJ9IWYOaZ8vHnk=;
 h=MIME-Version:Date:From:To:Cc:Subject:Message-ID:Content-Type:
 Content-Transfer-Encoding:From;
 b=QSs9wndeWwy7WwHi9oTVwrCJYA11E7WcjF4KuNIG6UvY+0IEEdiUZRduUyDgWZJ+X
 SimGggKoqC4Cg4uHG4X+mD1lXzWy+uL2OuhEV3lnG4qBr6czhBB8QHMvFE7CrkQc6z
 IuEkKZccavDbjMUxfND6AoBzy1WfGePGWtmsjleOZdG2lwlnzSN+5OljaaxuQbDXPG
 2PktJlDChPN4l9pd//hd/8EHTwVLizGzZHAdHZM6iTVkzaV8cOG+PiqPJUVR5U2n1E
 cJGqh+0Mwmh6dUIQs4WvGOvd9mxssBq4On+AZXHbMEmKEACwxggOblmXz0wMn5peJg
 W6jauivqxOGbQ==
Received: from customer (localhost [127.0.0.1])
 by submission (posteo.de) with ESMTPSA id 4Zdhns1FJrz9rxK;
 Thu, 17 Apr 2025 17:36:32 +0200 (CEST)
MIME-Version: 1.0
Date: Thu, 17 Apr 2025 15:36:32 +0000
From: keinflue <keinflue@HIDDEN>
To: =?UTF-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN>
Subject: Re: guix-daemon run as non-root sets up /etc/group incorrectly in
 build container
In-Reply-To: <878qny530h.fsf@HIDDEN>
References: <86b5c54e8412686790b6bf50525a6231@HIDDEN>
 <878qny530h.fsf@HIDDEN>
Message-ID: <936405d1bcbed15df2266c30cfc4ca33@HIDDEN>
Content-Type: text/plain; charset=US-ASCII;
 format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 77862
Cc: 77862 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Here are excerpts from the build log:

> ERROR: tests/chown/separator
> ============================
> 
> ++ initial_cwd_=/tmp/guix-build-coreutils-9.1.drv-0/coreutils-9.1

[...]

> ++ id -u
> + id_u=30001
> + test -n 30001
> ++ id -un
> + id_un=nixbld
> + test -n nixbld
> ++ id -g
> + id_g=30000
> + test -n 30000
> ++ id -gn
> id: cannot find name for group ID 30000
> + id_gn=30000
> + framework_failure_
> + warn_ 'separator.sh: set-up failure: '
> + case $IFS in
> + printf '%s\n' 'separator.sh: set-up failure: '
> separator.sh: set-up failure:
> + test 9 = 2
> + printf '%s\n' 'separator.sh: set-up failure: '
> + sed 1q
> + Exit 99
> + set +e
> + exit 99
> + exit 99
> + remove_tmp_
> + __st=99
> + cleanup_
> + :
> + test '' = yes
> + cd /tmp/guix-build-coreutils-9.1.drv-0/coreutils-9.1
> + chmod -R u+rwx 
> /tmp/guix-build-coreutils-9.1.drv-0/coreutils-9.1/gt-separator.sh.Fk4W
> + rm -rf 
> /tmp/guix-build-coreutils-9.1.drv-0/coreutils-9.1/gt-separator.sh.Fk4W
> + exit 99
> ERROR tests/chown/separator.sh (exit status: 99)

[...]

> error: in phase 'check': uncaught exception:
> srfi-34 #<condition &invoke-error [program: "make" arguments: ("check" 
> "-j" "16") exit-status: 2 term-signal: #f stop-signal: #f] 2df6100> >
> phase `check' failed after 15.2 seconds
> command "make" "check" "-j" "16" failed with status 2
> build process 2 exited with status 256

Yes, I believe the patch as suggested is correct (with my limited 
understanding given that the lines above were changed in the same way).

Unfortunately I made a mistake and accidentally lost the container in 
which I tried this, so I can not verify right now whether the patch 
actually resolves the issue.

It might take me a day or two to restore it.

This happened either during or shortly after bootstrap builds, so I 
don't know whether this was the final coreutils package or one from 
commencement.scm.

Best,
keinflue

Message received at 77862 <at> debbugs.gnu.org:

Received: (at 77862) by debbugs.gnu.org; 17 Apr 2025 14:24:47 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Apr 17 10:24:47 2025
Received: from localhost ([127.0.0.1]:48035 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1u5QAY-00057A-Ax
	for submit <at> debbugs.gnu.org; Thu, 17 Apr 2025 10:24:46 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:45748)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <ludo@HIDDEN>) id 1u5QAS-00055J-0G
 for 77862 <at> debbugs.gnu.org; Thu, 17 Apr 2025 10:24:43 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ludo@HIDDEN>)
 id 1u5QAM-0001sn-BP; Thu, 17 Apr 2025 10:24:34 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To:
 From; bh=Gn7EZbmDjBFOb8qzkMA6g7bAntClza2m7f6aaKj90fw=; b=L+O5S1iqcbkZoMe9SvLc
 wmDx/92l09g1WaGLa77PcjF6k3kARPApOg7zWTBorsZ6+FfyAeZkRFslyyXfnpmS29tloIjwwc/MB
 JNEiCI3xt5SeNAoGR90cUPFFlgHKjFmC0H9+zY/eIw0Uky6U6XxHZXQZ8Uu6CMeOPHDgXRT8U+9Qw
 EitH0PCdNofq5AV+SK1bntuFvdMsP890YkKjmK69TBVjKo+Y72ECfPLWFVd7s1bbgkmjjkKJFGr4B
 XpAXSN4bXT53YsPhHf5iLKFZPv9vzY055hiq0TeBdCYkYkqMpakk/fEJpRA9Pn2XTyhljBKfmCQhk
 mG0Fi7x2FRaWRA==;
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN>
To: keinflue <keinflue@HIDDEN>
Subject: Re: guix-daemon run as non-root sets up /etc/group incorrectly in
 build container
In-Reply-To: <86b5c54e8412686790b6bf50525a6231@HIDDEN>
 (keinflue@HIDDEN's message of "Thu, 17 Apr 2025 11:20:47 +0000")
References: <86b5c54e8412686790b6bf50525a6231@HIDDEN>
User-Agent: mu4e 1.12.9; emacs 29.4
X-URL: https://people.bordeaux.inria.fr/lcourtes/
X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5
X-OS: x86_64-pc-linux-gnu
X-Revolutionary-Date: Octidi 28 Germinal an 233 de la =?utf-8?Q?R=C3=A9vol?=
 =?utf-8?Q?ution=2C?= jour de la =?utf-8?Q?Pens=C3=A9e?=
Date: Thu, 17 Apr 2025 15:30:38 +0200
Message-ID: <878qny530h.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 77862
Cc: 77862 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

--=-=-=
Content-Type: text/plain

Hi,

keinflue <keinflue@HIDDEN> writes:

> When using the new ability of guix-daemon to run as non-root with the
> help of user namespaces, the testsuite of coreutils fails.

Could you include a build log snippet?  (Also useful to have it inline
so that someone searching for discussions about the bug can find it.)

> This is because the daemon incorrectly uses the host GID instead of
> the guest GID in the build container's /etc/group, which the testsuite
> uses to lookup the group's name via id -gn.

I believe the fix you suggest is this:


--=-=-=
Content-Type: text/x-patch
Content-Disposition: inline

diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc
index 4ee4a1ae5f..a1f39d9a8b 100644
--- a/nix/libstore/build.cc
+++ b/nix/libstore/build.cc
@@ -1854,7 +1854,7 @@ void DerivationGoal::startBuilder()
            view of the system (e.g., "id -gn"). */
         writeFile(chrootRootDir + "/etc/group",
             (format("nixbld:!:%1%:\n")
-                % (buildUser.enabled() ? buildUser.getGID() : getgid())).str());
+                % (buildUser.enabled() ? buildUser.getGID() : guestGID)).str());
 
         /* Create /etc/hosts with localhost entry. */
         if (!fixedOutput)

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable


Correct?

Thanks,
Ludo=E2=80=99.

--=-=-=--

Message received at submit <at> debbugs.gnu.org:

Received: (at submit) by debbugs.gnu.org; 17 Apr 2025 11:21:07 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Apr 17 07:21:07 2025
Received: from localhost ([127.0.0.1]:46010 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1u5NIn-0006zb-Pe
	for submit <at> debbugs.gnu.org; Thu, 17 Apr 2025 07:21:07 -0400
Received: from lists.gnu.org ([2001:470:142::17]:58714)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <keinflue@HIDDEN>)
 id 1u5NIj-0006xx-M9
 for submit <at> debbugs.gnu.org; Thu, 17 Apr 2025 07:21:03 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <keinflue@HIDDEN>)
 id 1u5NId-0007X8-Rr
 for bug-guix@HIDDEN; Thu, 17 Apr 2025 07:20:55 -0400
Received: from mout01.posteo.de ([185.67.36.65])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <keinflue@HIDDEN>)
 id 1u5NIb-0000NE-JI
 for bug-guix@HIDDEN; Thu, 17 Apr 2025 07:20:55 -0400
Received: from submission (posteo.de [185.67.36.169]) 
 by mout01.posteo.de (Postfix) with ESMTPS id B6F34240027
 for <bug-guix@HIDDEN>; Thu, 17 Apr 2025 13:20:48 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017;
 t=1744888848; bh=0Zp9kpsVDM1yjzbuhfYuBVA+d731mZtyED2j870JAvk=;
 h=MIME-Version:Date:From:To:Cc:Subject:Message-ID:Content-Type:
 Content-Transfer-Encoding:From;
 b=Lhruc/+YeNtbuoXXKLC+O9dys5LZhItPtcBcSPrVHh/+ALrqphfZ2afqqINKkso33
 ljG5DGerEEjAkkE6+LLGeaL/asXbPYHmMb659D8c6/8aHJ4aGHuZdL+2oCEzwJJMX4
 96MAntljylj1psuGKM8xPO2tppP+w0rCMXDE6F/Q1XCaYYqk3cKY6f87RQf3fqzg8f
 UuEfDETOrxN+fOqbkOHiXNda3v5mQrqUPhG5O7H65yUt42y1U4jcsO1hWjLEt+YRfi
 QZjXsEBuR2EMYdDz8RCvQxMJUqxmXK7MlkgAUmkog+RMchjOMss73JbPYYnVVhR/0/
 gUV8tsPGF5izg==
Received: from customer (localhost [127.0.0.1])
 by submission (posteo.de) with ESMTPSA id 4Zdb6m0z5rz9rxM;
 Thu, 17 Apr 2025 13:20:47 +0200 (CEST)
MIME-Version: 1.0
Date: Thu, 17 Apr 2025 11:20:47 +0000
From: keinflue <keinflue@HIDDEN>
To: bug-guix@HIDDEN
Subject: guix-daemon run as non-root sets up /etc/group incorrectly in build
 container
Message-ID: <86b5c54e8412686790b6bf50525a6231@HIDDEN>
Content-Type: text/plain; charset=US-ASCII;
 format=flowed
Content-Transfer-Encoding: 7bit
Received-SPF: pass client-ip=185.67.36.65; envelope-from=keinflue@HIDDEN;
 helo=mout01.posteo.de
X-Spam_score_int: -43
X-Spam_score: -4.4
X-Spam_bar: ----
X-Spam_report: (-4.4 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001,
 RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 1.0 (+)
X-Debbugs-Envelope-To: submit
Cc: ludo@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.0 (/)

When using the new ability of guix-daemon to run as non-root with the 
help of user namespaces, the testsuite of coreutils fails.

This is because the daemon incorrectly uses the host GID instead of the 
guest GID in the build container's /etc/group, which the testsuite uses 
to lookup the group's name via id -gn.