Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Nix 2.2 enabled sandboxing on Linux by default, breaking a bunch of installations by default #3000

Open
grahamc opened this issue Jul 19, 2019 · 9 comments
Open

Nix 2.2 enabled sandboxing on Linux by default, breaking a bunch of installations by default #3000

grahamc opened this issue Jul 19, 2019 · 9 comments
Labels
stale

Comments

@grahamc
Copy link
Member

grahamc commented Jul 19, 2019
edited
Loading

I think it was the right idea to enable it by default, but probably having a way to detect its support first might be good.

The change broke installations for:

  • centos6
  • centos7
  • debian8
  • debian9
  • gentoo
  • ubuntu12.04

Grid comparison:

Open these up in to new tabs and swap between them to see the differences.

Full reports:
@FruitieX
Copy link

FruitieX commented Jul 29, 2019
edited
Loading

Possibly related, installation under WSL 2 Ubuntu is also broken:

error: while setting up the build environment: mounting /proc: Operation not permitted
./install: unable to install Nix into your default profile

Disabling sandboxing seems to help:

mkdir ~/.config/nix
echo "sandbox = false" > ~/.config/nix/nix.conf

With this workaround in place I was able to complete installation of Nix under WSL 2 simply by re-running the installation script.

@grahamc grahamc mentioned this issue Jul 30, 2019
Merged
@stale
Copy link

stale bot commented Feb 18, 2021

I marked this as stale due to inactivity. → More info

@stale stale bot added the stale label Feb 18, 2021
@valignatev
Copy link

This is still relevant mr bot, thank you

@stale stale bot removed the stale label Oct 19, 2021
@SuperSandro2000
Copy link
Member

SuperSandro2000 commented Oct 19, 2021
edited
Loading

Ubuntu 12.04, centos 6 an debian 8 are really old and I don't think we should spend time on them.

debian9 and gentoo can probably be fixed by either installing rsync which should not be required on newer version IIRC.

Edit:
rsync requirement got removed with #5150

@valignatev
Copy link

Ah, I had this problem yesterday on archlinux with very fresh updates, and I went to this issue from the archwiki where it was listed together with the workaound

@klarkc
Copy link

klarkc commented Nov 14, 2021
edited
Loading

Ah, I had this problem yesterday on archlinux with very fresh updates, and I went to this issue from the archwiki where it was listed together with the workaound

The workaround there tells to disable sandbox in nix config file, this is a important thing? Should that be disabled?

@MagicRB
Copy link
Contributor

MagicRB commented Dec 29, 2021

@klarkc extremely, its akin to disabling sandboxing in docker, a malicious build script could read all your files send them off to a server and you'd never notice

@huang12zheng huang12zheng mentioned this issue Jul 3, 2022
Closed
@stale
Copy link

stale bot commented Jul 10, 2022

I marked this as stale due to inactivity. → More info

@stale stale bot added the stale label Jul 10, 2022
@valignatev
Copy link

bot begone

@stale stale bot removed the stale label Jul 10, 2022
@stale stale bot added the stale label Jan 8, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@grahamc @klarkc @FruitieX @valignatev @SuperSandro2000 @MagicRB