From 2524a2118647a4125dcae08fe0eb20de5f79a291 Mon Sep 17 00:00:00 2001
From: John Ericson <John.Ericson@Obsidian.Systems>
Date: Mon, 15 May 2023 12:38:39 -0400
Subject: [PATCH 1/2] Update src/libstore/build/local-derivation-goal.cc

Co-authored-by: Guillaume Girol <symphorien@users.noreply.github.com>
---
 src/libstore/build/local-derivation-goal.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc
index 6d2d458da..a50fe1a28 100644
--- a/src/libstore/build/local-derivation-goal.cc
+++ b/src/libstore/build/local-derivation-goal.cc
@@ -910,7 +910,7 @@ void LocalDerivationGoal::startBuilder()
                after we've created the new user namespace. */
             if (settings.dropSupplementaryGroups)
                 if (setgroups(0, 0) == -1)
-                    throw SysError("setgroups failed");
+                    throw SysError("setgroups failed. Set the drop-supplementary-groups option to false to skip this step.");
 
             ProcessOptions options;
             options.cloneFlags = CLONE_NEWPID | CLONE_NEWNS | CLONE_NEWIPC | CLONE_NEWUTS | CLONE_PARENT | SIGCHLD;

From d8ef0c949523324615b66059b3d48c4c445f478b Mon Sep 17 00:00:00 2001
From: John Ericson <John.Ericson@Obsidian.Systems>
Date: Mon, 15 May 2023 17:41:51 -0400
Subject: [PATCH 2/2] Add some tests for `drop-supplementary-groups`

---
 tests/common.sh                       |  2 +-
 tests/common/vars-and-functions.sh.in |  2 +-
 tests/hermetic.nix                    | 56 +++++++++++++++++++++++++++
 tests/local.mk                        |  1 +
 tests/supplementary-groups.sh         | 33 ++++++++++++++++
 5 files changed, 92 insertions(+), 2 deletions(-)
 create mode 100644 tests/hermetic.nix
 create mode 100644 tests/supplementary-groups.sh

diff --git a/tests/common.sh b/tests/common.sh
index 8941671d6..7b0922c9f 100644
--- a/tests/common.sh
+++ b/tests/common.sh
@@ -4,7 +4,7 @@ if [[ -z "${COMMON_SH_SOURCED-}" ]]; then
 
 COMMON_SH_SOURCED=1
 
-source "$(readlink -f "$(dirname "${BASH_SOURCE[0]}")")/common/vars-and-functions.sh"
+source "$(readlink -f "$(dirname "${BASH_SOURCE[0]-$0}")")/common/vars-and-functions.sh"
 if [[ -n "${NIX_DAEMON_PACKAGE:-}" ]]; then
     startDaemon
 fi
diff --git a/tests/common/vars-and-functions.sh.in b/tests/common/vars-and-functions.sh.in
index a9e6c802f..dc7ce13cc 100644
--- a/tests/common/vars-and-functions.sh.in
+++ b/tests/common/vars-and-functions.sh.in
@@ -4,7 +4,7 @@ if [[ -z "${COMMON_VARS_AND_FUNCTIONS_SH_SOURCED-}" ]]; then
 
 COMMON_VARS_AND_FUNCTIONS_SH_SOURCED=1
 
-export PS4='+(${BASH_SOURCE[0]}:$LINENO) '
+export PS4='+(${BASH_SOURCE[0]-$0}:$LINENO) '
 
 export TEST_ROOT=$(realpath ${TMPDIR:-/tmp}/nix-test)/${TEST_NAME:-default}
 export NIX_STORE_DIR
diff --git a/tests/hermetic.nix b/tests/hermetic.nix
new file mode 100644
index 000000000..4c9d7a51f
--- /dev/null
+++ b/tests/hermetic.nix
@@ -0,0 +1,56 @@
+{ busybox, seed }:
+
+with import ./config.nix;
+
+let
+  contentAddressedByDefault = builtins.getEnv "NIX_TESTS_CA_BY_DEFAULT" == "1";
+  caArgs = if contentAddressedByDefault then {
+    __contentAddressed = true;
+    outputHashMode = "recursive";
+    outputHashAlgo = "sha256";
+  } else {};
+
+  mkDerivation = args:
+    derivation ({
+      inherit system;
+      builder = busybox;
+      args = ["sh" "-e" args.builder or (builtins.toFile "builder-${args.name}.sh" "if [ -e .attrs.sh ]; then source .attrs.sh; fi; eval \"$buildCommand\"")];
+    } // removeAttrs args ["builder" "meta" "passthru"]
+    // caArgs)
+    // { meta = args.meta or {}; passthru = args.passthru or {}; };
+
+  input1 = mkDerivation {
+    shell = busybox;
+    name = "hermetic-input-1";
+    buildCommand = "echo hi-input1 seed=${toString seed}; echo FOO > $out";
+  };
+
+  input2 = mkDerivation {
+    shell = busybox;
+    name = "hermetic-input-2";
+    buildCommand = "echo hi; echo BAR > $out";
+  };
+
+  input3 = mkDerivation {
+    shell = busybox;
+    name = "hermetic-input-3";
+    buildCommand = ''
+      echo hi-input3
+      read x < ${input2}
+      echo $x BAZ > $out
+    '';
+  };
+
+in
+
+  mkDerivation {
+    shell = busybox;
+    name = "hermetic";
+    passthru = { inherit input1 input2 input3; };
+    buildCommand =
+      ''
+        read x < ${input1}
+        read y < ${input3}
+        echo "$x $y" > $out
+      '';
+  }
diff --git a/tests/local.mk b/tests/local.mk
index 9e340e2e2..9cb81e1f0 100644
--- a/tests/local.mk
+++ b/tests/local.mk
@@ -93,6 +93,7 @@ nix_tests = \
   misc.sh \
   dump-db.sh \
   linux-sandbox.sh \
+  supplementary-groups.sh \
   build-dry.sh \
   structured-attrs.sh \
   shell.sh \
diff --git a/tests/supplementary-groups.sh b/tests/supplementary-groups.sh
new file mode 100644
index 000000000..fd3da2945
--- /dev/null
+++ b/tests/supplementary-groups.sh
@@ -0,0 +1,33 @@
+source common.sh
+
+requireSandboxSupport
+[[ $busybox =~ busybox ]] || skipTest "no busybox"
+if ! command -p -v unshare; then skipTest "Need unshare"; fi
+needLocalStore "The test uses --store always so we would just be bypassing the daemon"
+
+unshare --mount --map-root-user bash <<EOF
+  source common.sh
+
+  setLocalStore () {
+    export NIX_REMOTE=\$TEST_ROOT/\$1
+    mkdir -p \$NIX_REMOTE
+  }
+
+  cmd=(nix-build ./hermetic.nix --arg busybox "$busybox" --arg seed 1)
+
+  # Fails with default setting
+  # TODO better error
+  setLocalStore store1
+  expectStderr 1 "\${cmd[@]}" | grepQuiet "unable to start build process"
+
+  # Fails with `drop-supplementary-groups`
+  # TODO better error
+  setLocalStore store2
+  NIX_CONFIG='drop-supplementary-groups = true' \
+    expectStderr 1 "\${cmd[@]}" | grepQuiet "unable to start build process"
+
+  # Works without `drop-supplementary-groups`
+  setLocalStore store3
+  NIX_CONFIG='drop-supplementary-groups = false' \
+    "\${cmd[@]}"
+EOF