extra-sandbox-paths doesn't work on multi-user install

[jakubgs]

Describe the bug

We are using the extra-sandbox-paths option with nix-build in order to provide secrets to our mobile builds, android keystore for example. I'm trying to upgarde to 2.6.0, but this functionality appears to not work, and files provided via --option extra-sandbox-paths are not available in the build sandbox.

Steps To Reproduce

0. Perform a multi-user installation (Ubuntu 20.04)
1. Create this basic derivation:

   { pkgs ? import <nixpkgs> { } }:
   pkgs.stdenv.mkDerivation rec {
     name = "nix-sandbox-test";
     builder = pkgs.writeScript "${name}-builder" ''
       source $stdenv/setup
       cp /tmp/sandbox-file $out
     '';
   }

2. Create a file to pass via extra-sandbox-paths:

   echo TEST > /tmp/sandbox-file

3. Execute the build

   nix-build --option extra-sandbox-paths '/tmp/sandbox-file

4. See error

   cp: cannot stat '/tmp/sandbox-file': No such file or directory
   error: builder for '/nix/store/q545vrhp2gq550w9vr730x0gv871bczg-nix-sandbox-test.drv' failed with exit code 1;
          last 1 log lines:
          > cp: cannot stat '/tmp/sandbox-file': No such file or directory
   

Expected behavior

I expected it to work, like it does in a single-user installation or on NixOS.

Additional context

I have straced the nix-daemon process and found out that it gets an ENOENT error:

 > PID=$(systemctl show --property MainPID --value nix-daemon)                   
 > sudo strace -p $PID -f -e trace=%file >/dev/null 2>&1 | grep /tmp/sandbox-file
[pid 1457879] execve("/nix/store/vizjhz04x6xl57x2vrpqa52j8q6rkjfh-coreutils-9.0/bin/cp", ["cp", "/tmp/sandbox-file", "/nix/store/984lk190lqyy1vji4y07n"...], 0x5dc010 /* 69 vars */) = 0
[pid 1457879] newfstatat(AT_FDCWD, "/tmp/sandbox-file", 0x7fffffffd3b0, 0) = -1 ENOENT (No such file or directory)

But the file exists, and had the right permissions so a nixbld* user can read it:

 > ls -l /tmp/sandbox-file              
-rw-r--r-- 1 jakubgs jakubgs 5 Feb 17 22:19 /tmp/sandbox-file

 > sudo -u nixbld1 cat /tmp/sandbox-file
TEST

So I don't know what the issue is. Especially since it works fine on NixOS.

[jakubgs]

I'd appreciate if someone took a look at this. It makes upgrading to Nix newer than 2.3.16 impossible.

[edolstra]

It may be because you're not a trusted user? If you run with -vvv, it will show a warning about ignored client settings:

# nix-build ./sandbox-test.nix --extra-sandbox-paths /tmp/sandbox-file -vvv 2>&1 | grep trusted
ignoring the client-specified setting 'sandbox-paths', because it is a restricted setting and you are not a trusted user

[jakubgs]

Oh wow, you're right!

 > nix-build --extra-sandbox-paths /tmp/sandbox-file -vvv 2>&1 | grep trusted
ignoring the client-specified setting 'sandbox-paths', because it is a restricted setting and you are not a trusted user

After adding trusted-users = jenkins to /etc/nix/nix.conf it works!

 > cat $(nix-build --extra-sandbox-paths /tmp/sandbox-file)
TEST

Thanks @edolstra this definitely solves the issue for me.

Although honestly, I'm not sure why this kind of important warning/error should be hidden behind tripple -v flag.

[edolstra]

Yeah, it used to be a warning rather than a debug message, but then people got spammed a lot about irrelevant client-side settings not being allowed by the daemon. We should improve that...