Merge pull request #7739 from obsidiansystems/user-settings

Move `trustedUsers` and `allowedUsers` to separate config struct
This commit is contained in:
Eelco Dolstra 2023-02-03 11:55:37 +01:00 committed by GitHub
commit dbe0748f97
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 52 additions and 36 deletions

View file

@ -529,7 +529,14 @@ static void performOp(TunnelLogger * logger, ref<Store> store,
mode = (BuildMode) readInt(from); mode = (BuildMode) readInt(from);
/* Repairing is not atomic, so disallowed for "untrusted" /* Repairing is not atomic, so disallowed for "untrusted"
clients. */ clients.
FIXME: layer violation in this message: the daemon code (i.e.
this file) knows whether a client/connection is trusted, but it
does not how how the client was authenticated. The mechanism
need not be getting the UID of the other end of a Unix Domain
Socket.
*/
if (mode == bmRepair && !trusted) if (mode == bmRepair && !trusted)
throw Error("repairing is not allowed because you are not in 'trusted-users'"); throw Error("repairing is not allowed because you are not in 'trusted-users'");
} }
@ -546,7 +553,9 @@ static void performOp(TunnelLogger * logger, ref<Store> store,
mode = (BuildMode) readInt(from); mode = (BuildMode) readInt(from);
/* Repairing is not atomic, so disallowed for "untrusted" /* Repairing is not atomic, so disallowed for "untrusted"
clients. */ clients.
FIXME: layer violation; see above. */
if (mode == bmRepair && !trusted) if (mode == bmRepair && !trusted)
throw Error("repairing is not allowed because you are not in 'trusted-users'"); throw Error("repairing is not allowed because you are not in 'trusted-users'");

View file

@ -279,8 +279,8 @@ public:
If the build users group is empty, builds will be performed under If the build users group is empty, builds will be performed under
the uid of the Nix process (that is, the uid of the caller if the uid of the Nix process (that is, the uid of the caller if
`NIX_REMOTE` is empty, the uid under which the Nix daemon runs if `NIX_REMOTE` is empty, the uid under which the Nix daemon runs if
`NIX_REMOTE` is `daemon`). Obviously, this should not be used in `NIX_REMOTE` is `daemon`). Obviously, this should not be used
multi-user settings with untrusted users. with a nix daemon accessible to untrusted clients.
Defaults to `nixbld` when running as root, *empty* otherwise. Defaults to `nixbld` when running as root, *empty* otherwise.
)", )",
@ -696,24 +696,6 @@ public:
)", )",
{"trusted-binary-caches"}}; {"trusted-binary-caches"}};
Setting<Strings> trustedUsers{
this, {"root"}, "trusted-users",
R"(
A list of names of users (separated by whitespace) that have
additional rights when connecting to the Nix daemon, such as the
ability to specify additional binary caches, or to import unsigned
NARs. You can also specify groups by prefixing them with `@`; for
instance, `@wheel` means all users in the `wheel` group. The default
is `root`.
> **Warning**
>
> Adding a user to `trusted-users` is essentially equivalent to
> giving that user root access to the system. For example, the user
> can set `sandbox-paths` and thereby obtain read access to
> directories that are otherwise inacessible to them.
)"};
Setting<unsigned int> ttlNegativeNarInfoCache{ Setting<unsigned int> ttlNegativeNarInfoCache{
this, 3600, "narinfo-cache-negative-ttl", this, 3600, "narinfo-cache-negative-ttl",
R"( R"(
@ -736,18 +718,6 @@ public:
mismatch if the build isn't reproducible. mismatch if the build isn't reproducible.
)"}; )"};
/* ?Who we trust to use the daemon in safe ways */
Setting<Strings> allowedUsers{
this, {"*"}, "allowed-users",
R"(
A list of names of users (separated by whitespace) that are allowed
to connect to the Nix daemon. As with the `trusted-users` option,
you can specify groups by prefixing them with `@`. Also, you can
allow all users by specifying `*`. The default is `*`.
Note that trusted users are always allowed to connect.
)"};
Setting<bool> printMissing{this, true, "print-missing", Setting<bool> printMissing{this, true, "print-missing",
"Whether to print what paths need to be built or downloaded."}; "Whether to print what paths need to be built or downloaded."};

View file

@ -34,6 +34,43 @@
using namespace nix; using namespace nix;
using namespace nix::daemon; using namespace nix::daemon;
struct UserSettings : Config {
Setting<Strings> trustedUsers{
this, {"root"}, "trusted-users",
R"(
A list of names of users (separated by whitespace) that have
additional rights when connecting to the Nix daemon, such as the
ability to specify additional binary caches, or to import unsigned
NARs. You can also specify groups by prefixing them with `@`; for
instance, `@wheel` means all users in the `wheel` group. The default
is `root`.
> **Warning**
>
> Adding a user to `trusted-users` is essentially equivalent to
> giving that user root access to the system. For example, the user
> can set `sandbox-paths` and thereby obtain read access to
> directories that are otherwise inacessible to them.
)"};
/* ?Who we trust to use the daemon in safe ways */
Setting<Strings> allowedUsers{
this, {"*"}, "allowed-users",
R"(
A list of names of users (separated by whitespace) that are allowed
to connect to the Nix daemon. As with the `trusted-users` option,
you can specify groups by prefixing them with `@`. Also, you can
allow all users by specifying `*`. The default is `*`.
Note that trusted users are always allowed to connect.
)"};
};
UserSettings userSettings;
static GlobalConfig::Register rSettings(&userSettings);
#ifndef __linux__ #ifndef __linux__
#define SPLICE_F_MOVE 0 #define SPLICE_F_MOVE 0
static ssize_t splice(int fd_in, void *off_in, int fd_out, void *off_out, size_t len, unsigned int flags) static ssize_t splice(int fd_in, void *off_in, int fd_out, void *off_out, size_t len, unsigned int flags)
@ -203,8 +240,8 @@ static void daemonLoop()
struct group * gr = peer.gidKnown ? getgrgid(peer.gid) : 0; struct group * gr = peer.gidKnown ? getgrgid(peer.gid) : 0;
std::string group = gr ? gr->gr_name : std::to_string(peer.gid); std::string group = gr ? gr->gr_name : std::to_string(peer.gid);
Strings trustedUsers = settings.trustedUsers; Strings trustedUsers = userSettings.trustedUsers;
Strings allowedUsers = settings.allowedUsers; Strings allowedUsers = userSettings.allowedUsers;
if (matchUser(user, group, trustedUsers)) if (matchUser(user, group, trustedUsers))
trusted = Trusted; trusted = Trusted;