Merge pull request #7739 from obsidiansystems/user-settings
Move `trustedUsers` and `allowedUsers` to separate config struct
This commit is contained in:
commit
dbe0748f97
|
@ -529,7 +529,14 @@ static void performOp(TunnelLogger * logger, ref<Store> store,
|
||||||
mode = (BuildMode) readInt(from);
|
mode = (BuildMode) readInt(from);
|
||||||
|
|
||||||
/* Repairing is not atomic, so disallowed for "untrusted"
|
/* Repairing is not atomic, so disallowed for "untrusted"
|
||||||
clients. */
|
clients.
|
||||||
|
|
||||||
|
FIXME: layer violation in this message: the daemon code (i.e.
|
||||||
|
this file) knows whether a client/connection is trusted, but it
|
||||||
|
does not how how the client was authenticated. The mechanism
|
||||||
|
need not be getting the UID of the other end of a Unix Domain
|
||||||
|
Socket.
|
||||||
|
*/
|
||||||
if (mode == bmRepair && !trusted)
|
if (mode == bmRepair && !trusted)
|
||||||
throw Error("repairing is not allowed because you are not in 'trusted-users'");
|
throw Error("repairing is not allowed because you are not in 'trusted-users'");
|
||||||
}
|
}
|
||||||
|
@ -546,7 +553,9 @@ static void performOp(TunnelLogger * logger, ref<Store> store,
|
||||||
mode = (BuildMode) readInt(from);
|
mode = (BuildMode) readInt(from);
|
||||||
|
|
||||||
/* Repairing is not atomic, so disallowed for "untrusted"
|
/* Repairing is not atomic, so disallowed for "untrusted"
|
||||||
clients. */
|
clients.
|
||||||
|
|
||||||
|
FIXME: layer violation; see above. */
|
||||||
if (mode == bmRepair && !trusted)
|
if (mode == bmRepair && !trusted)
|
||||||
throw Error("repairing is not allowed because you are not in 'trusted-users'");
|
throw Error("repairing is not allowed because you are not in 'trusted-users'");
|
||||||
|
|
||||||
|
|
|
@ -279,8 +279,8 @@ public:
|
||||||
If the build users group is empty, builds will be performed under
|
If the build users group is empty, builds will be performed under
|
||||||
the uid of the Nix process (that is, the uid of the caller if
|
the uid of the Nix process (that is, the uid of the caller if
|
||||||
`NIX_REMOTE` is empty, the uid under which the Nix daemon runs if
|
`NIX_REMOTE` is empty, the uid under which the Nix daemon runs if
|
||||||
`NIX_REMOTE` is `daemon`). Obviously, this should not be used in
|
`NIX_REMOTE` is `daemon`). Obviously, this should not be used
|
||||||
multi-user settings with untrusted users.
|
with a nix daemon accessible to untrusted clients.
|
||||||
|
|
||||||
Defaults to `nixbld` when running as root, *empty* otherwise.
|
Defaults to `nixbld` when running as root, *empty* otherwise.
|
||||||
)",
|
)",
|
||||||
|
@ -696,24 +696,6 @@ public:
|
||||||
)",
|
)",
|
||||||
{"trusted-binary-caches"}};
|
{"trusted-binary-caches"}};
|
||||||
|
|
||||||
Setting<Strings> trustedUsers{
|
|
||||||
this, {"root"}, "trusted-users",
|
|
||||||
R"(
|
|
||||||
A list of names of users (separated by whitespace) that have
|
|
||||||
additional rights when connecting to the Nix daemon, such as the
|
|
||||||
ability to specify additional binary caches, or to import unsigned
|
|
||||||
NARs. You can also specify groups by prefixing them with `@`; for
|
|
||||||
instance, `@wheel` means all users in the `wheel` group. The default
|
|
||||||
is `root`.
|
|
||||||
|
|
||||||
> **Warning**
|
|
||||||
>
|
|
||||||
> Adding a user to `trusted-users` is essentially equivalent to
|
|
||||||
> giving that user root access to the system. For example, the user
|
|
||||||
> can set `sandbox-paths` and thereby obtain read access to
|
|
||||||
> directories that are otherwise inacessible to them.
|
|
||||||
)"};
|
|
||||||
|
|
||||||
Setting<unsigned int> ttlNegativeNarInfoCache{
|
Setting<unsigned int> ttlNegativeNarInfoCache{
|
||||||
this, 3600, "narinfo-cache-negative-ttl",
|
this, 3600, "narinfo-cache-negative-ttl",
|
||||||
R"(
|
R"(
|
||||||
|
@ -736,18 +718,6 @@ public:
|
||||||
mismatch if the build isn't reproducible.
|
mismatch if the build isn't reproducible.
|
||||||
)"};
|
)"};
|
||||||
|
|
||||||
/* ?Who we trust to use the daemon in safe ways */
|
|
||||||
Setting<Strings> allowedUsers{
|
|
||||||
this, {"*"}, "allowed-users",
|
|
||||||
R"(
|
|
||||||
A list of names of users (separated by whitespace) that are allowed
|
|
||||||
to connect to the Nix daemon. As with the `trusted-users` option,
|
|
||||||
you can specify groups by prefixing them with `@`. Also, you can
|
|
||||||
allow all users by specifying `*`. The default is `*`.
|
|
||||||
|
|
||||||
Note that trusted users are always allowed to connect.
|
|
||||||
)"};
|
|
||||||
|
|
||||||
Setting<bool> printMissing{this, true, "print-missing",
|
Setting<bool> printMissing{this, true, "print-missing",
|
||||||
"Whether to print what paths need to be built or downloaded."};
|
"Whether to print what paths need to be built or downloaded."};
|
||||||
|
|
||||||
|
|
|
@ -34,6 +34,43 @@
|
||||||
using namespace nix;
|
using namespace nix;
|
||||||
using namespace nix::daemon;
|
using namespace nix::daemon;
|
||||||
|
|
||||||
|
struct UserSettings : Config {
|
||||||
|
|
||||||
|
Setting<Strings> trustedUsers{
|
||||||
|
this, {"root"}, "trusted-users",
|
||||||
|
R"(
|
||||||
|
A list of names of users (separated by whitespace) that have
|
||||||
|
additional rights when connecting to the Nix daemon, such as the
|
||||||
|
ability to specify additional binary caches, or to import unsigned
|
||||||
|
NARs. You can also specify groups by prefixing them with `@`; for
|
||||||
|
instance, `@wheel` means all users in the `wheel` group. The default
|
||||||
|
is `root`.
|
||||||
|
|
||||||
|
> **Warning**
|
||||||
|
>
|
||||||
|
> Adding a user to `trusted-users` is essentially equivalent to
|
||||||
|
> giving that user root access to the system. For example, the user
|
||||||
|
> can set `sandbox-paths` and thereby obtain read access to
|
||||||
|
> directories that are otherwise inacessible to them.
|
||||||
|
)"};
|
||||||
|
|
||||||
|
/* ?Who we trust to use the daemon in safe ways */
|
||||||
|
Setting<Strings> allowedUsers{
|
||||||
|
this, {"*"}, "allowed-users",
|
||||||
|
R"(
|
||||||
|
A list of names of users (separated by whitespace) that are allowed
|
||||||
|
to connect to the Nix daemon. As with the `trusted-users` option,
|
||||||
|
you can specify groups by prefixing them with `@`. Also, you can
|
||||||
|
allow all users by specifying `*`. The default is `*`.
|
||||||
|
|
||||||
|
Note that trusted users are always allowed to connect.
|
||||||
|
)"};
|
||||||
|
};
|
||||||
|
|
||||||
|
UserSettings userSettings;
|
||||||
|
|
||||||
|
static GlobalConfig::Register rSettings(&userSettings);
|
||||||
|
|
||||||
#ifndef __linux__
|
#ifndef __linux__
|
||||||
#define SPLICE_F_MOVE 0
|
#define SPLICE_F_MOVE 0
|
||||||
static ssize_t splice(int fd_in, void *off_in, int fd_out, void *off_out, size_t len, unsigned int flags)
|
static ssize_t splice(int fd_in, void *off_in, int fd_out, void *off_out, size_t len, unsigned int flags)
|
||||||
|
@ -203,8 +240,8 @@ static void daemonLoop()
|
||||||
struct group * gr = peer.gidKnown ? getgrgid(peer.gid) : 0;
|
struct group * gr = peer.gidKnown ? getgrgid(peer.gid) : 0;
|
||||||
std::string group = gr ? gr->gr_name : std::to_string(peer.gid);
|
std::string group = gr ? gr->gr_name : std::to_string(peer.gid);
|
||||||
|
|
||||||
Strings trustedUsers = settings.trustedUsers;
|
Strings trustedUsers = userSettings.trustedUsers;
|
||||||
Strings allowedUsers = settings.allowedUsers;
|
Strings allowedUsers = userSettings.allowedUsers;
|
||||||
|
|
||||||
if (matchUser(user, group, trustedUsers))
|
if (matchUser(user, group, trustedUsers))
|
||||||
trusted = Trusted;
|
trusted = Trusted;
|
||||||
|
|
Loading…
Reference in a new issue