Fix build failures on systems with unprivileged_userns_clone=0

[BonusPlay]

Motivation

Currently certain builds failed on hardened systems, exactly with kernel.unprivileged_userns_clone=0.
The error happens only on GID lookup, because nix didn't setup /etc/group inside the sandbox.
While the file exists in the sandbox, it has incorrect GID (100). This PR fixes this to match host value.

I've tested this briefly locally and it does seem to fix the issue.

Context

• nixos/hardened: some packages checks fail in nix build nixpkgs#287194
• sandboxed builds without user namespace should require sandbox-fallback set to true #6898
• Build failure: python312Packages.path nixpkgs#374401

This is my first PR to nix without deeper understanding of what potential implications this might have (especially on security).

---

Add 👍 to pull requests you find important.

The Nix maintainer team uses a GitHub project board to schedule and track reviews.

[xokdvium]

Hm, #14914 is probably the root cause? If running as root it should still be possible to create a user namespace without unprivileged userns.

[BonusPlay]

Looks related, yes.

[Ericson2314]

Side note: I would love to have a NixOS test unprivileged_userns_clone=0 disabled. Otherwise it's really hard to maintain this code path.

[edolstra]

Hm, this is already done in ChrootDerivationBuilder::prepareSandbox(). If it writes the wrong gid for some reason, then we should fix that. At the very least, writing /etc/group should be factored out into a separate function.