From 0d3bc50b0cffeae05beb12d0c270c6599186c0d7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= <ludo@gnu.org>
Date: Fri, 25 Apr 2025 20:17:17 +0200
Subject: [PATCH] daemon: Use the guest GID in /etc/group.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Partly fixes <https://issues.guix.gnu.org/77862>.

Fixes a bug whereby, when running guix-daemon unprivileged, /etc/group
would contain the wrong GID for the “nixbld” group.  This inconsistency
would lead to failures in the Coreutils test suite, for instance.

* nix/libstore/build.cc (DerivationGoal::startBuilder): Use ‘guestGID’
when writing /etc/group.
* tests/store.scm ("/etc/passwd and /etc/group"): New test.

Reported-by: keinflue <keinflue@posteo.net>
Change-Id: I739bc96c4c935fd9015a45e2bfe5b3e3f90554a9
---
 nix/libstore/build.cc |  2 +-
 tests/store.scm       | 22 ++++++++++++++++++++++
 2 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc
index 4ee4a1ae5f..a1f39d9a8b 100644
--- a/nix/libstore/build.cc
+++ b/nix/libstore/build.cc
@@ -1854,7 +1854,7 @@ void DerivationGoal::startBuilder()
            view of the system (e.g., "id -gn"). */
         writeFile(chrootRootDir + "/etc/group",
             (format("nixbld:!:%1%:\n")
-                % (buildUser.enabled() ? buildUser.getGID() : getgid())).str());
+                % (buildUser.enabled() ? buildUser.getGID() : guestGID)).str());
 
         /* Create /etc/hosts with localhost entry. */
         if (!fixedOutput)
diff --git a/tests/store.scm b/tests/store.scm
index b467314bdc..112ea7e2fc 100644
--- a/tests/store.scm
+++ b/tests/store.scm
@@ -443,6 +443,28 @@
     (and (build-derivations %store (list d))
          (call-with-input-file o get-string-all))))
 
+(unless (unprivileged-user-namespace-supported?)
+  (test-skip 1))
+(test-equal "/etc/passwd and /etc/group"
+  '((name "nixbld")
+    (uid 30001)
+    (gid 30000)
+    (group-name "nixbld"))
+  (let ((d (build-expression->derivation
+            %store "passwd-group-check"
+            `(call-with-output-file %output
+               (lambda (port)
+                 ',(gettimeofday)
+                 (let ((pw (getpwuid (getuid)))
+                       (gr (getgrgid (getgid))))
+                   (write `((name ,(passwd:name pw))
+                            (uid ,(passwd:uid pw))
+                            (gid ,(passwd:gid pw))
+                            (group-name ,(group:name gr)))
+                          port)))))))
+    (build-derivations %store (list d))
+    (call-with-input-file (derivation->output-path d) read)))
+
 (unless (unprivileged-user-namespace-supported?)
   (test-skip 1))
 (test-equal "inputs are read-only"