Mirrors/nixos-infect
2
0
Fork 1
mirror of https://github.com/elitak/nixos-infect synced 2025-03-14 13:46:59 +00:00
Code Issues Projects Releases Packages Wiki Activity

fix: enable unprivileged user namespaces for successful group resolution

Browse source 
Added `sysctl kernel.unprivileged_userns_clone=1` to ensure proper group name resolution for higher GIDs during the infection process. This resolves issues where commands like `id` fail in restricted environments lacking user namespace support.
This commit is contained in:
jr_blue_551 2025-01-05 20:06:50 +00:00 committed by GitHub
parent 5ef3f953d3
commit f6e5478657
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 8 additions and 0 deletions

8
nixos-infect
View file

@ -317,7 +317,15 @@ checkEnv() {
infect() {
# Add nix build users
# Ensure kernel.unprivileged_userns_clone is enabled to prevent issues where
# certain commands (e.g., `id`) fail to resolve group names for higher GIDs.
# This setting is particularly important for environments where user namespaces
# are restricted, which can lead to failures during the infection process.
sysctl kernel.unprivileged_userns_clone=1
# FIXME run only if necessary, rather than defaulting true
groupadd nixbld -g 30000 || true
for i in {1..10}; do
useradd -c "Nix build user $i" -d /var/empty -g nixbld -G nixbld -M -N -r -s "$(which nologin)" "nixbld$i" || true