Running a setuid-root binary inside a Nix sandbox does not actually set the uid to 0. For example whoami will report nixbld and security.wappers programs will crash with an assertion failure when detecting that the effective uid does not match the file uid.
Can reproduce either by calling /run/wrappers/bin/sudo in the sandbox (have to make it visible) or by running /run/as/root $(which id) with my little asroot NixOS module.
Seems to me like the allow-new-privileges option was added to make this work (#1429) but that this is not working with Nix from NixOS 18.09.
Notes:
- NixOS 18.09.
- Setuid binary on a filesystem that does not have
nosetuid flag.
- Nix.conf includes
allow-new-privileges = true.
Wild guess: Could this be due to userns sandboxing not providing a usable root user?
Running a setuid-root binary inside a Nix sandbox does not actually set the uid to 0. For example
whoamiwill reportnixbldandsecurity.wappersprograms will crash with an assertion failure when detecting that the effective uid does not match the file uid.Can reproduce either by calling
/run/wrappers/bin/sudoin the sandbox (have to make it visible) or by running/run/as/root $(which id)with my little asroot NixOS module.Seems to me like the
allow-new-privilegesoption was added to make this work (#1429) but that this is not working with Nix from NixOS 18.09.Notes:
nosetuidflag.allow-new-privileges = true.Wild guess: Could this be due to userns sandboxing not providing a usable root user?