extra-sandbox-paths doesn't work on multi-user install #6115
Description
Describe the bug
We are using the extra-sandbox-paths option with nix-build in order to provide secrets to our mobile builds, android keystore for example. I'm trying to upgarde to 2.6.0, but this functionality appears to not work, and files provided via --option extra-sandbox-paths are not available in the build sandbox.
Steps To Reproduce
- Perform a multi-user installation (Ubuntu 20.04)
- Create this basic derivation:
{ pkgs ? import <nixpkgs> { } }: pkgs.stdenv.mkDerivation rec { name = "nix-sandbox-test"; builder = pkgs.writeScript "${name}-builder" '' source $stdenv/setup cp /tmp/sandbox-file $out ''; }
- Create a file to pass via
extra-sandbox-paths:echo TEST > /tmp/sandbox-file
- Execute the build
nix-build --option extra-sandbox-paths '/tmp/sandbox-file - See error
cp: cannot stat '/tmp/sandbox-file': No such file or directory error: builder for '/nix/store/q545vrhp2gq550w9vr730x0gv871bczg-nix-sandbox-test.drv' failed with exit code 1; last 1 log lines: > cp: cannot stat '/tmp/sandbox-file': No such file or directory
Expected behavior
I expected it to work, like it does in a single-user installation or on NixOS.
Additional context
I have straced the nix-daemon process and found out that it gets an ENOENT error:
> PID=$(systemctl show --property MainPID --value nix-daemon)
> sudo strace -p $PID -f -e trace=%file >/dev/null 2>&1 | grep /tmp/sandbox-file
[pid 1457879] execve("/nix/store/vizjhz04x6xl57x2vrpqa52j8q6rkjfh-coreutils-9.0/bin/cp", ["cp", "/tmp/sandbox-file", "/nix/store/984lk190lqyy1vji4y07n"...], 0x5dc010 /* 69 vars */) = 0
[pid 1457879] newfstatat(AT_FDCWD, "/tmp/sandbox-file", 0x7fffffffd3b0, 0) = -1 ENOENT (No such file or directory)
But the file exists, and had the right permissions so a nixbld* user can read it:
> ls -l /tmp/sandbox-file
-rw-r--r-- 1 jakubgs jakubgs 5 Feb 17 22:19 /tmp/sandbox-file
> sudo -u nixbld1 cat /tmp/sandbox-file
TESTSo I don't know what the issue is. Especially since it works fine on NixOS.