Nix: Inconsistent treatment of /usr/bin/env in build sandbox vs. NixOS

Created on 25 Jan 2017 · 10Comments · Source: NixOS/nix

I always assumed that since NixOS went out of its way to create a /usr/bin/env, that it would be available inside a sandboxed build as well, but that appears not to be the case.

It seems like we should have a "Nix contract", basically stating things like: you can expect to have GNU coreutils, find, sed, impure /bin/sh, /dev/null, etc.

Then we make NixOS satisfy that contract (by adding /bin/sh) and we make the sandboxed builder environment satisfy it too. It's unclear to me whether /usr/bin/env belongs in that contract or not, but it does seem pretty confusing that it's in one place and not the other.

cc @edolstra @shlevy

Source

copumpkin

👍8

Most helpful comment

This is pretty annoying to hit. Because /usr/bin/env just runs what's in PATH, it seems like it should be safe to add. Can we just make it a default for sandboxPaths?

matthewbauer on 19 Feb 2019

👍7

All 10 comments

IMO this isn't a nix issue. It's part of your stdenv what kinds of things you expect to be available (and ideally your sandbox could be configured at least in part accordingly). But I do agree we should have a specification here.

shlevy on 26 Jan 2017

Relevant: https://github.com/NixOS/nixpkgs/issues/6227 ("chroot environments have no /usr/bin/env?").

bjornfor on 17 Jan 2018

Is there a reason not to add it by default, like we do for /bin/sh? https://github.com/NixOS/nixpkgs/blob/08bf000fe2e385f2253428eef77f952e3dc187c5/nixos/modules/services/misc/nix-daemon.nix#L45

LnL7 on 17 Jan 2018

I'd probably err on the side of making it consistent first (so adding /usr/bin/env to both), then perhaps making a separate effort to whittle down the impurities.

copumpkin on 17 Jan 2018

👍4

Does somebody know how it can be that /usr/bin/env seems to be available during sandboxed build on my machine, but not on others?

I'm currently trying to debug sage (https://github.com/NixOS/nixpkgs/issues/31714). But I can't test it myself, since the build (with the same commands @siddharthist uses, including sandbox) works for me. Is that a bug?

timokau on 24 Jan 2018

@timokau I heard somewhere it is not possible to enable sandboxing using --option. Edit: See https://github.com/NixOS/nix/issues/1670

jtojnar on 25 Jan 2018

👍1

Purity idea: make the derivation primitive accept options that allow overriding /bin/sh value (perhaps also /usr/bin/env and others), and then we can just make stdenv pass them automatically, getting rid of this ugly impurity in nixpkgs. (They are almost always in build-time closure anyway.)

vcunat on 17 Feb 2018

This is pretty annoying to hit. Because /usr/bin/env just runs what's in PATH, it seems like it should be safe to add. Can we just make it a default for sandboxPaths?

matthewbauer on 19 Feb 2019

👍7

FWIW, NixOS has the (hidden) option environment.usrbinenv, with which you can turn off having an /usr/bin/env (by setting the option to null). Doing this makes NixOS less convenient, but it does prevent some impurities (e.g. a user packaging some python script for nixpkgs could easily forget to patch its /usr/bin/env python because they have python in their PATH)