Is this a bug or am I doing something wrong?
(I’m on rev 1ada6fc.)
nix-build --option sandbox false --no-out-link -E '
(import <nixpkgs> {}).runCommand "_" {} "env"
' 2>&1 | grep TMP
# Outputs TMPDIR=/build instead of /tmp/nix-build-_.drv-0 like in non-sandboxed builds
Edit: When downgrading to 18.03 and setting nix.package = {nix 2.1.1} (the nix version of 18.09) , while otherwise using the exact same NixOS config, the bug doesn’t appear and the explicit sandbox option is honored.
Your user must be trusted by the nix-daemon to be able to disable the sandbox.
$ grep joerg /etc/nix/nix.conf
trusted-users = joerg
Thanks a lot!
I just wasted a huge amount of time with this issue, so it should definitely be mentioned in the release notes, like so:
The module option nix.useSandbox is now defaulted to true.
Note that for disabling sandboxing with `--option sandbox false` you have to be a trusted user (see nix option `trusted-users`).
Was this really changed in the last release? I thoughed we had this for longer. If not, you can add it to the release notes.
Yes, sandbox is enabled by default starting from 18.09.
Actually, the optimal solution would be for nix to issue a warning when --option sandbox is used by an untrusted user. No need for extra release notes then. (The new default for useSandbox is already mentioned.)
Edit: But that would entail a new nix release and a upgrade in 18.09, which won’t happen for quite some time. So we still need to amend the release notes.
Related: `nix copy` silently ignores --no-check-sigs unless user is trusted · Issue #1761 · NixOS/nix · GitHub, nix build does not respect --builders flag · Issue #2286 · NixOS/nix · GitHub, Allow untrusted user to specify using subset of builders · Issue #2271 · NixOS/nix · GitHub
I’ve been bitten by the same issue. I tried to address it here: Daemon: warn when an untrusted user cannot override a setting by picnoir · Pull Request #2931 · NixOS/nix · GitHub