Can't run non-sandboxed builds on NixOS 18.09


#1

Is this a bug or am I doing something wrong?
(I’m on rev 1ada6fc.)

nix-build --option sandbox false --no-out-link -E '
  (import <nixpkgs> {}).runCommand "_" {} "env"
' 2>&1 | grep TMP
# Outputs TMPDIR=/build instead of /tmp/nix-build-_.drv-0 like in non-sandboxed builds

Edit: When downgrading to 18.03 and setting nix.package = {nix 2.1.1} (the nix version of 18.09) , while otherwise using the exact same NixOS config, the bug doesn’t appear and the explicit sandbox option is honored.


#2

Your user must be trusted by the nix-daemon to be able to disable the sandbox.

$ grep joerg /etc/nix/nix.conf
trusted-users = joerg

#3

#4

Thanks a lot!
I just wasted a huge amount of time with this issue, so it should definitely be mentioned in the release notes, like so:

The module option nix.useSandbox is now defaulted to true.
Note that for disabling sandboxing with `--option sandbox false` you have to be a trusted user (see nix option `trusted-users`).

#5

Was this really changed in the last release? I thoughed we had this for longer. If not, you can add it to the release notes.


#6

Yes, sandbox is enabled by default starting from 18.09.


#7

Actually, the optimal solution would be for nix to issue a warning when --option sandbox is used by an untrusted user. No need for extra release notes then. (The new default for useSandbox is already mentioned.)

Edit: But that would entail a new nix release and a upgrade in 18.09, which won’t happen for quite some time. So we still need to amend the release notes.


#8

Related: https://github.com/NixOS/nix/issues/1761, https://github.com/NixOS/nix/issues/2286, https://github.com/NixOS/nix/issues/2271