bug#78152: [PATCH] nix: Ensure the nixbld user directory matches HOME.

Fri, 02 May 2025 08:58:22 -0700 

Maxim Cournoyer <maxim.courno...@gmail.com> writes:

> * nix/libstore/build.cc (DerivationGoal::startBuilder)
> </etc/passwd>: Adjust build user directory.
>
> Fixes: <https://issues.guix.gnu.org/78152>
> Change-Id: I242940195e49b2ee9544e9e5211a6598f682cbfe
> ---
> The fix was tested by:
>
> 1. Exiting all 'guix shell' envs then # herd stop guix-daemon
>
> 2. sudo -E ./pre-inst-env guix-daemon --build-users-group guixbuild \
>    --max-silent-time 3600 --timeout 86400 --log-compression none \
>    --discover=no --substitute-urls \
>    'https://bordeaux.guix.gnu.org https://ci.guix.gnu.org' --max-jobs=10 &
>
> 3. Apply the following diff:
> modified   gnu/packages/ssh.scm
> @@ -182,13 +182,7 @@ (define-public libssh
>                ;; Test sources.
>                (substitute* '("tests/server/test_server/default_cb.c")
>                  (("\"/bin/sh\"")
> -                 (format #f "~s" (which "sh"))))))
> -          (add-before 'check 'prepare-for-tests
> -            ;; A few test rely on the assumption that HOME == user's pw_dir,
> -            ;; which is not satisfied in Guix, where `pw_dir' is '/' while
> -            ;; HOME is '/homeless-shelter'.
> -            (lambda _
> -              (setenv "HOME" "/"))))))
> +                 (format #f "~s" (which "sh")))))))))
>      (native-inputs (list cmocka))
>      (inputs (list bash-minimal mit-krb5 openssl zlib))
>      (synopsis "SSH client library")
>
> 4. Building it successfully: ./pre-inst-env guix build libssh
>  nix/libstore/build.cc | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc
> index a1f39d9a8bf..2cf2a7d06c2 100644
> --- a/nix/libstore/build.cc
> +++ b/nix/libstore/build.cc
> @@ -1845,7 +1845,7 @@ void DerivationGoal::startBuilder()
>  
>          writeFile(chrootRootDir + "/etc/passwd",
>              (format(
> -                "nixbld:x:%1%:%2%:Nix build user:/:/noshell\n"
> +                "nixbld:x:%1%:%2%:Nix build 
> user:/homeless-shelter:/noshell\n"
>                  "nobody:x:65534:65534:Nobody:/:/noshell\n")
>                  % (buildUser.enabled() ? buildUser.getUID() : guestUID)
>                  % (buildUser.enabled() ? buildUser.getGID() : 
> guestGID)).str());
>
> base-commit: b2b7d2a3275d5ba866ae7fecac928ed4bd416beb

LGTM.

Reviewed-by: Tomas Volf <~@wolfsden.cz>

-- 
There are only two hard things in Computer Science:
cache invalidation, naming things and off-by-one errors.

Reply via email to