libredirect tests fail for non-sandboxed, non-NixOS builds due to system()

[ghost]

Describe the bug

The tests for nix-env -iA libredirect fail in single-user (i.e. no sandbox) nixpkgs builds on systems where /bin/sh comes from the host system rather than /nix/store. This happens because the tests use the impure system() call.

running install tests
sh: symbol lookup error: /nix/store/v9j3c0rfx7hll8gan73vimlk4klh4hmi-glibc-2.33-108/lib/libdl.so.2: undefined symbol: _dl_catch_error_ptr, version GLIBC_PRIVATE
test: test.c:41: test_system: Assertion `system(TESTPATH) == 0' failed.
/nix/store/cmwbb13lchz63rk5v79wx8rccjxxx55n-stdenv-linux/setup: line 1357: 23424 Aborted                 NIX_REDIRECTS="/foo/bar/test=/nix/store/0a73l706bk0gynrr5c8gqhc9n42nc30z-coreutils-9.0/bin/true:/bar/baz=$(mktemp -d)" ./test

Steps To Reproduce

Steps to reproduce the behavior:

1. Find a non-NixOS host system, install nixpkgs
2. nix-env -iA libredirect
3. Profit

Expected behavior

The system() tests should be skipped if an unsandboxed build environment is detected.

I can't figure out how to determine, from within a derivation being built, if the build environment is sandboxed or not. If there is a reliable way to do this please let me know and I'll write the PR to close this bug.

[Mindavi]

Something like (if which sh does not start with $store_root) might work. Note that the prefix is not / should not be hardcoded.

[ghost]

Something like (if which sh does not start with $store_root) might work. Note that the prefix is not / should not be hardcoded.

I don't think that will work. Even without the sandbox, nix still removes /bin from the $PATH and puts /nix/store/...-bash/bin/ in there instead.

The problem is that glibc's system() call is hardwired to use /bin/sh. This is actually part of the POSIX specification. Guix patches glibc, but that raises a whole bunch of other tricky issues. Nixpkgs decided not to patch glibc -- it uses a sandbox instead, but that only works on Linux, on certain platforms, and when the nixpkgs daemon is started as root (or has access to a suid-root sandboxing binary). There are pros and cons of either approach here.

There are some details here: #236

I'm having trouble finding the other bug that dealt with this; it had more detail. Here it is: #1434

However I think that because nixpkgs does not patch glibc, it needs to give derivations some kind of signal that "hey, system() is broken, do not freak out if it doesn't work". This is needed on non-Linux-{amd64,arm64,arm32} platforms and on unprivileged-user installs, since the sandbox doesn't work in those cases.

[papag00se]

Has there been any progress on this? I am running into this today inside of a Docker container based on ubuntu:latest

sh: symbol lookup error: /nix/store/q29bwjibv9gi9n86203s38n0577w09sx-glibc-2.33-117/lib/libdl.so.2: undefined symbol: _dl_catch_error_ptr, version GLIBC_PRIVATE
test: test.c:41: test_system: Assertion `system(TESTPATH) == 0' failed.
/nix/store/av415bdh58v1n9xsci1i4r1pd9bmzqsy-stdenv-linux/setup: line 1357: 1100760 Aborted                 (core dumped) NIX_REDIRECTS="/foo/bar/test=/nix/store/l3l6y4b4wj6v46adlpy092iq5fxaqc0m-coreutils-9.0/bin/true:/bar/baz=$(mktemp -d)" ./test
error: builder for '/nix/store/vxn47cjr1455bq351ibgwidz0gmw18wj-libredirect-0.drv' failed with exit code 134
error: 1 dependencies of derivation '/nix/store/yp910lzi1px6nikgz7kx0k4l27rmlqfh-openssh-8.8p1.drv' failed to build
error: 1 dependencies of derivation '/nix/store/cnnmjwk2ffkr8zr2fdm12mqv1kpi4343-git-2.35.1.drv' failed to build
error: 1 dependencies of derivation '/nix/store/y43h4h7zsqgqagb184v52k1dzw867s1p-git-ls-files.drv' failed to build

Single user install by a non-root user in the sudoers group.

[veprbl]

Please test #216342