* Create the Nix daemon socket in a separate directory

(/nix/var/nix/daemon-socket).  This allows access to the Nix daemon
  to be restricted by setting the mode/ownership on that directory as
  desired, e.g.

    $ chmod 770 /nix/var/nix/daemon-socket
    $ chown root.wheel /nix/var/nix/daemon-socket

  to allow only users in the wheel group to use Nix.

  Setting the ownership on a socket is much trickier, since the socket
  must be deleted and recreated every time the daemon is started
  (which would require additional Nix configuration file directives to
  specify the mode/ownership, and wouldn't support arbitrary ACLs),
  some BSD variants appear to ignore permissions on sockets, and it's
  not clear whether the umask is respected on every platform when
  creating sockets.
This commit is contained in:
Eelco Dolstra 2007-08-30 09:50:44 +00:00
parent cb1c1004cd
commit 0d65fc08e2
2 changed files with 10 additions and 4 deletions

View file

@ -38,9 +38,12 @@ typedef enum {
#define STDERR_ERROR 0x63787470 #define STDERR_ERROR 0x63787470
/* The default location of the daemon socket, relative to /* The default location of the daemon socket, relative to nixStateDir.
nixStateDir. */ The socket is in a directory to allow you to control access to the
#define DEFAULT_SOCKET_PATH "/daemon.socket" Nix daemon by setting the mode/ownership of the directory
appropriately. (This wouldn't work on the socket itself since it
must be deleted and recreated on startup.) */
#define DEFAULT_SOCKET_PATH "/daemon-socket/socket"
Path readStorePath(Source & from); Path readStorePath(Source & from);

View file

@ -517,6 +517,8 @@ static void daemonLoop()
string socketPath = nixStateDir + DEFAULT_SOCKET_PATH; string socketPath = nixStateDir + DEFAULT_SOCKET_PATH;
createDirs(dirOf(socketPath));
struct sockaddr_un addr; struct sockaddr_un addr;
addr.sun_family = AF_UNIX; addr.sun_family = AF_UNIX;
if (socketPath.size() >= sizeof(addr.sun_path)) if (socketPath.size() >= sizeof(addr.sun_path))
@ -526,7 +528,8 @@ static void daemonLoop()
unlink(socketPath.c_str()); unlink(socketPath.c_str());
/* Make sure that the socket is created with 0666 permission /* Make sure that the socket is created with 0666 permission
(everybody can connect). */ (everybody can connect --- provided they have access to the
directory containing the socket). */
mode_t oldMode = umask(0111); mode_t oldMode = umask(0111);
int res = bind(fdSocket, (struct sockaddr *) &addr, sizeof(addr)); int res = bind(fdSocket, (struct sockaddr *) &addr, sizeof(addr));
umask(oldMode); umask(oldMode);