diff options
| author | Graham Christensen <graham@grahamc.com> | 2019-05-11T00·59-0400 |
|---|---|---|
| committer | Graham Christensen <graham@grahamc.com> | 2019-05-12T17·17-0400 |
| commit | 6df61db0600ca73ccd51e3e5bec5312a04e99da1 (patch) | |
| tree | 66de67c9b1ce6b90ea9d643d95d9a9d750b3c376 /doc | |
| parent | c78686e411e0a14cff51836fe6c35d7584171df3 (diff) | |
diff hook: execute as the build user, and pass the temp dir
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/manual/advanced-topics/diff-hook.xml | 12 | ||||
| -rw-r--r-- | doc/manual/command-ref/conf-file.xml | 20 |
2 files changed, 18 insertions, 14 deletions
diff --git a/doc/manual/advanced-topics/diff-hook.xml b/doc/manual/advanced-topics/diff-hook.xml index d2613f6df227..fb4bf819f94b 100644 --- a/doc/manual/advanced-topics/diff-hook.xml +++ b/doc/manual/advanced-topics/diff-hook.xml @@ -46,17 +46,15 @@ file containing: #!/bin/sh exec >&2 echo "For derivation $3:" -/run/current-system/sw/bin/runuser -u nobody -- /run/current-system/sw/bin/diff -r "$1" "$2" +/run/current-system/sw/bin/diff -r "$1" "$2" </programlisting> -<warning> - <para>The diff hook can be run as root. Take care to run as little - as possible as root, for this example we use <command>runuser</command> - to drop privileges. - </para> -</warning> </para> +<para>The diff hook is executed by the same user and group who ran the +build. However, the diff hook does not have write access to the store +path just built.</para> + <section> <title> Spot-Checking Build Determinism diff --git a/doc/manual/command-ref/conf-file.xml b/doc/manual/command-ref/conf-file.xml index a1a5d6e12972..c5f90481b136 100644 --- a/doc/manual/command-ref/conf-file.xml +++ b/doc/manual/command-ref/conf-file.xml @@ -252,13 +252,11 @@ false</literal>.</para> same. </para> - <warning> - <para> - The root user executes the diff hook in a daemonised - installation. See <xref linkend="chap-diff-hook" /> for - information on using the diff hook safely. - </para> - </warning> + <para> + The diff hook is executed by the same user and group who ran the + build. However, the diff hook does not have write access to the + store path just built. + </para> <para>The diff hook program receives three parameters:</para> @@ -280,6 +278,14 @@ false</literal>.</para> The path to the build's derivation </para> </listitem> + + <listitem> + <para> + The path to the build's scratch directory. This directory + will exist only if the build was run with + <option>--keep-failed</option>. + </para> + </listitem> </orderedlist> <para>The diff hook should not print data to stderr or stdout, as |