Merge branch 'best-effort-supplementary-groups' into overlayfs-store

src/libstore/build/local-derivation-goal.cc

@@ -910,7 +910,7 @@ void LocalDerivationGoal::startBuilder()
                after we've created the new user namespace. */
             if (settings.dropSupplementaryGroups)
                 if (setgroups(0, 0) == -1)
-                    throw SysError("setgroups failed");
+                    throw SysError("setgroups failed. Set the drop-supplementary-groups option to false to skip this step.");
 
             ProcessOptions options;
             options.cloneFlags = CLONE_NEWPID | CLONE_NEWNS | CLONE_NEWIPC | CLONE_NEWUTS | CLONE_PARENT | SIGCHLD;

tests/local.mk

@@ -93,6 +93,7 @@ nix_tests = \
   misc.sh \
   dump-db.sh \
   linux-sandbox.sh \
+  supplementary-groups.sh \
   build-dry.sh \
   structured-attrs.sh \
   shell.sh \

tests/supplementary-groups.sh

@@ -0,0 +1,33 @@
+source common.sh
+
+requireSandboxSupport
+[[ $busybox =~ busybox ]] || skipTest "no busybox"
+if ! command -p -v unshare; then skipTest "Need unshare"; fi
+needLocalStore "The test uses --store always so we would just be bypassing the daemon"
+
+unshare --mount --map-root-user bash <<EOF
+  source common.sh
+
+  setLocalStore () {
+    export NIX_REMOTE=\$TEST_ROOT/\$1
+    mkdir -p \$NIX_REMOTE
+  }
+
+  cmd=(nix-build ./hermetic.nix --arg busybox "$busybox" --arg seed 1)
+
+  # Fails with default setting
+  # TODO better error
+  setLocalStore store1
+  expectStderr 1 "\${cmd[@]}" | grepQuiet "unable to start build process"
+
+  # Fails with `drop-supplementary-groups`
+  # TODO better error
+  setLocalStore store2
+  NIX_CONFIG='drop-supplementary-groups = true' \
+    expectStderr 1 "\${cmd[@]}" | grepQuiet "unable to start build process"
+
+  # Works without `drop-supplementary-groups`
+  setLocalStore store3
+  NIX_CONFIG='drop-supplementary-groups = false' \
+    "\${cmd[@]}"
+EOF