Running nix-build
on the code below finishes without error, whereas I would expect it to fail to fetch from the internet.
{ pkgs ? import <nixpkgs> { } }:
pkgs.runCommand "foo" { } ''
mkdir $out
${pkgs.curl}/bin/curl http://example.com -o $out/foo
''
In order to trigger a sandboxing error, I have to run nix-build --sandbox
:
❯ nix-build --sandbox
this derivation will be built:
/nix/store/d9wjpaxd0d2hfdla9kqhsshcp37k2mr2-foo.drv
building '/nix/store/d9wjpaxd0d2hfdla9kqhsshcp37k2mr2-foo.drv'...
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0curl: (6) Could not resolve host: example.com
error: builder for '/nix/store/d9wjpaxd0d2hfdla9kqhsshcp37k2mr2-foo.drv' failed with exit code 6;
last 3 log lines:
> % Total % Received % Xferd Average Speed Time Time Time Current
> Dload Upload Total Spent Left Speed
> 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0curl: (6) Could not resolve host: example.com
For full logs, run 'nix log /nix/store/d9wjpaxd0d2hfdla9kqhsshcp37k2mr2-foo.drv'.
My /etc/nix/nix.conf
:
❯ cat /etc/nix/nix.conf
# WARNING: this file is generated from the nix.* options in
# your NixOS configuration, typically
# /etc/nixos/configuration.nix. Do not edit it!
build-users-group = nixbld
max-jobs = 4
cores = 0
sandbox = true
extra-sandbox-paths =
substituters = https://cache.nixos.org/
trusted-substituters =
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
auto-optimise-store = false
require-sigs = true
trusted-users = root asymmetric
allowed-users = *
builders =
system-features = nixos-test benchmark big-parallel kvm
sandbox-fallback = false
experimental-features = nix-command flakes
(note the sandbox = true
value).
Does trusted-users
have anything to do with this?
This is a NixOS unstable system.