Inconsistent treatment of /usr/bin/env in build sandbox vs. NixOS #1205
Comments
|
IMO this isn't a nix issue. It's part of your stdenv what kinds of things you expect to be available (and ideally your sandbox could be configured at least in part accordingly). But I do agree we should have a specification here. |
|
Relevant: NixOS/nixpkgs#6227 ("chroot environments have no |
|
Is there a reason not to add it by default, like we do for |
|
I'd probably err on the side of making it consistent first (so adding |
|
Does somebody know how it can be that I'm currently trying to debug sage (NixOS/nixpkgs#31714). But I can't test it myself, since the build (with the same commands @siddharthist uses, including sandbox) works for me. Is that a bug? |
|
Purity idea: make the |
|
This is pretty annoying to hit. Because |
|
FWIW, NixOS has the (hidden) option |
|
This seriously defeats the purpose of |
|
I marked this as stale due to inactivity. → More info |
|
This issue has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/what-is-the-patchshebangs-command-in-nix-build-expressions/12656/2 |
|
This issue has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/what-is-the-patchshebangs-command-in-nix-build-expressions/12656/1 |
Indeed. Does anyone know why access to |
|
For starters, there is no reason that Nix should do what NixOS does, and visa versa. They're two independent projects. Second, I'm -1 on providing env in the sandbox as an exception to the sandboxing rules. |
Fair enough. There are plenty of things that NixOS has that I don't expect in a sandboxed environment. My reason for wanting it is just to simplify packages.
I see. Is this not the case also for difference C compilers though? stdenv on Mac uses clang and on linux uses gcc. Are those more similar in terms of features / beahviour than different envs? Or is it just a question of trying to minimize those differences (a C compiler is necessary, env is evidently not, since we've gotten on without it). Also, the use-case I'm thinking of (and it seems other people are also) is just simple shebangs. Could we put in a bare-bones (I hope this doesn't come off as pushy, I'm just trying to problem-solve. At the end of the day I'm happy to defer to others' expertise.) |
|
It is the same as with C compilers, but Nix does not provide a C
compiler impurely: Nixpkgs does, purely.
We can’t provide an env implementation that will avoid the need for
patching, so we should provide none and skip the impurity.
On April 26, 2021, GitHub ***@***.***> wrote:
> For starters, there is no reason that Nix should do what NixOS does,
> and visa versa.
>
Fair enough. There are plenty of things that NixOS has that I don't
expect in a sandboxed environment. My reason for wanting it is just to
simplify packages.
> Second, env is not a universal constant. Different envs behave
> differently. The macOS env and GNU env and busybox env and toybox
> env all behave differently with different features.
>
I see. Is this not the case also for difference C compilers though?
stdenv on Mac uses clang and on linux uses gcc. Are those more similar
in terms of features / beahviour than different envs? Or is it just a
question of trying to minimize those differences (a C compiler is
necessary, env is evidently not, since we've gotten on without it).
Also, the use-case I'm thinking of (and it seems other people are
also) is just simple shebangs. Could we put in a bare-bones env that
searches $PATH for executables, but if you try to use it in more
advanced ways that wouldn't be compatible between different envs, it
fails with a helpful error message?
(I hope this doesn't come off as pushy, I'm just trying to problem-
solve. At the end of the day I'm happy to defer to others' expertise.)
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#1205 (comment)>, or
unsubscribe <https://github.com/notifications/unsubscribe-
auth/AAASXLDEN2JAMCT4PLPUS33TKYWKTANCNFSM4C5W3GNQ>.
|
Ah. I think I understand the issue now. The Nix sandbox actually provides access to extremely few binaries on it's own, everything is brought in through nixpkgs (or something else, in theory). For instance, even if we wanted to, it wouldn't be possible to provide a symlink to Thanks. |
|
Exactly! |
|
So it seems that we would need to add support to Nix to add paths to the sandbox. Then we can get rid of the hack in https://github.com/NixOS/nixpkgs/blob/08bf000fe2e385f2253428eef77f952e3dc187c5/nixos/modules/services/misc/nix-daemon.nix#L45. I guess the main concern is how this would work without sandboxing. Can we still create a mount namespace? |
I'm not sure we can get rid of that, since at some point I think we need something like that for bootstrapping. Although perhaps being able to specify symlinks outside of /nix/store for the build sandbox might be interesting... but also I feel a can of worms that we might not want to open. |
I don't see why. I'm not super familiar with the bootstrap cycle but it seems like we probably need a |
|
This issue has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/what-is-sandboxing-and-what-does-it-entail/15533/1 |
|
I marked this as stale due to inactivity. → More info |
fricklerhandwerk
added
the
UX
|
For those annoyed at having to patch shebangs in third party scripts, you can always do something like this to provide your own { pkgs ? import <nixpkgs> {}
}:
let
usrBinEnvHook = pkgs.makeSetupHook { name = "usr-bin-env-hook"; } (pkgs.writeText "create-usr-bin-env.sh" ''
mkdir -m 0755 -p /usr/bin
ln -sfn "${pkgs.coreutils}/bin/env" /usr/bin/env
'');
in
pkgs.runCommand "example" { buildInputs = [ usrBinEnvHook ]; } ''
mkdir -p $out && cd $out
${./some-script-that-uses-usr-bin-env.sh}
''I wonder, could it maybe make sense to provide this as part of nixpkgs? For example |
|
This issue has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/building-openwrt-as-derivation/39936/6 |
I always assumed that since NixOS went out of its way to create a
/usr/bin/env, that it would be available inside a sandboxed build as well, but that appears not to be the case.It seems like we should have a "Nix contract", basically stating things like: you can expect to have GNU coreutils,
find,sed, impure/bin/sh,/dev/null, etc.Then we make NixOS satisfy that contract (by adding
/bin/sh) and we make the sandboxed builder environment satisfy it too. It's unclear to me whether/usr/bin/envbelongs in that contract or not, but it does seem pretty confusing that it's in one place and not the other.cc @edolstra @shlevy
The text was updated successfully, but these errors were encountered: