stdenv: default fixupPhase bails if setuid files got installed

[vcunat]

Example: https://hydra.nixos.org/build/254601361/nixlog/1/tail
Details:

++ chmod -R u+w /nix/store/wwxn8yz0376ailcnj18a0mbp9kf30r4z-lxc-5.0.3
chmod: changing permissions of '/nix/store/wwxn8yz0376ailcnj18a0mbp9kf30r4z-lxc-5.0.3/libexec/lxc/lxc-user-nic': Operation not permitted

The permissions

-rwsr-xr-x 1 nixbld1 nixbld 1271576 $date /nix/store/6g9fhcrc4iwcf4x4l1vsya15441n8lhi-lxc-5.0.3/libexec/lxc/lxc-user-nic

I'm baffled why this started, i.e. which commit triggered the change (can't see relevant change in setup hooks or coreutils), though it can surely get fixed even without knowing that. Introduced somewhere during staging* (PR #298548).

Note: obviously, nix will strip any set*id bits when registering the result into the nix store anyway, so the point is only to avoid the failure.

[vcunat]

I assume it would work to do something like

--- a/pkgs/stdenv/generic/setup.sh
+++ b/pkgs/stdenv/generic/setup.sh
@@ -1424 +1424 @@ fixupPhase() {
-        if [ -e "${!output}" ]; then chmod -R u+w "${!output}"; fi
+        if [ -e "${!output}" ]; then chmod -R u+w,u-s,g-s "${!output}"; fi

[lf-]

oh hi, this is caused by nix having an extremely silly seccomp policy that blocks chmod with the sticky bit. the thing is though, it is blatantly possible to bypass (consider .... the open syscall, which it doesn't block at all), and has zero security purpose. we should honestly just delete this failed attempt at sandboxing.

https://github.com/NixOS/nix/blob/8b16cced18925aa612049d08d5e78eccbf0530e4/src/libstore/build/local-derivation-goal.cc#L1650-L1663

The policy is supposed to stop you from creating setuid files, which normal users are allowed to do and it will let other users become them. However, a) it doesn't work and b) these perms are supposed to get wiped after the build finishes anyway and c) doesn't present any obvious security exposure to me. (i would be ... overall suspicious of security holes in the sandbox around this stuff, but i don't think there is one here)

[vcunat]

Let me copy from stdenv chat:

With kernel ≥6.6 and glibc 2.39, lxc's install phase uses fchmodat2, which slips through https://github.com/NixOS/nix/blob/9b88e5284608116b7db0dbd3d5dd7a33b90d52d7/src/libstore/build/local-derivation-goal.cc#L1650-L1663. The fixupPhase then uses fchmodat, which fails.
With older kernel or glibc, setting the suid bit fails in the install phase, which is not treated as fatal, and then the fixup phase does not try to set it again.

[Ma27]

Ouch sorry for that.

So, the immediate fallout (failing builds) seems fixed. However, there's a certain danger of this coming up again in different scenarios (6.6 will be the default on 24.05), so I'd file a bug against the Nix repo (haven't seen any so far, but will double-check). I agree with @lf- that we can probably drop the entire filtering, but if that leads to too much discussion, I'll probably file a patch that adds fchmodat2 as short-term solution because I'd rather not have the core issue in 24.05.