[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
67/118: nix-daemon: Add trusted-users and allowed-users options
|
From: |
Ludovic Courtès |
|
Subject: |
67/118: nix-daemon: Add trusted-users and allowed-users options |
|
Date: |
Tue, 19 May 2015 14:45:43 +0000 |
civodul pushed a commit to branch nix
in repository guix.
commit 049c0eb49c621ae50f49c8a06dc6c3a9839ef388
Author: Eelco Dolstra <address@hidden>
Date: Thu Jul 17 16:57:07 2014 +0200
nix-daemon: Add trusted-users and allowed-users options
‘trusted-users’ is a list of users and groups that have elevated
rights, such as the ability to specify binary caches. It defaults to
‘root’. A typical value would be address@hidden to specify all users in the
wheel group.
‘allowed-users’ is a list of users and groups that are allowed to
connect to the daemon. It defaults to ‘*’. A typical value would be
address@hidden to specify the ‘users’ group.
---
doc/manual/conf-file.xml | 42 ++++++++++++++++++++++++++++++++++++++++++
src/libstore/globals.cc | 4 ++++
src/libstore/globals.hh | 9 +++++++++
src/nix-daemon/nix-daemon.cc | 38 +++++++++++++++++++++++++++++++++++---
4 files changed, 90 insertions(+), 3 deletions(-)
diff --git a/doc/manual/conf-file.xml b/doc/manual/conf-file.xml
index 29f7f9c..6af4c77 100644
--- a/doc/manual/conf-file.xml
+++ b/doc/manual/conf-file.xml
@@ -479,6 +479,48 @@ flag, e.g. <literal>--option gc-keep-outputs
false</literal>.</para>
</varlistentry>
+ <varlistentry
xml:id="conf-trusted-users"><term><literal>trusted-users</literal></term>
+
+ <listitem>
+
+ <para>A list of names of users (separated by whitespace) that
+ have additional rights when connecting to the Nix daemon, such
+ as the ability to specify additional binary caches, or to import
+ unsigned NARs. You can also specify groups by prefixing them
+ with <literal>@</literal>; for instance,
+ <literal>@wheel</literal> means all users in the
+ <literal>wheel</literal> group. The default is
+ <literal>root</literal>.</para>
+
+ <warning><para>The users listed here have the ability to
+ compromise the security of a multi-user Nix store. For instance,
+ they could install Trojan horses subsequently executed by other
+ users. So you should consider carefully whether to add users to
+ this list.</para></warning>
+
+ </listitem>
+
+ </varlistentry>
+
+
+ <varlistentry
xml:id="conf-allowed-users"><term><literal>allowed-users</literal></term>
+
+ <listitem>
+
+ <para>A list of names of users (separated by whitespace) that
+ are allowed to connect to the Nix daemon. As with the
+ <option>trusted-users</option> option, you can specify groups by
+ prefixing them with <literal>@</literal>. Also, you can allow
+ all users by specifying <literal>*</literal>. The default is
+ <literal>*</literal>.</para>
+
+ <para>Note that trusted users are always allowed to connect.</para>
+
+ </listitem>
+
+ </varlistentry>
+
+
</variablelist>
</para>
diff --git a/src/libstore/globals.cc b/src/libstore/globals.cc
index 60bc1db..2bfebb7 100644
--- a/src/libstore/globals.cc
+++ b/src/libstore/globals.cc
@@ -63,6 +63,8 @@ Settings::Settings()
lockCPU = getEnv("NIX_AFFINITY_HACK", "1") == "1";
showTrace = false;
enableImportNative = false;
+ trustedUsers = Strings({"root"});
+ allowedUsers = Strings({"*"});
}
@@ -152,6 +154,8 @@ void Settings::update()
get(logServers, "log-servers");
get(enableImportNative, "allow-unsafe-native-code-during-evaluation");
get(useCaseHack, "use-case-hack");
+ get(trustedUsers, "trusted-users");
+ get(allowedUsers, "allowed-users");
string subs = getEnv("NIX_SUBSTITUTERS", "default");
if (subs == "default") {
diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh
index 8dd59a9..f174833 100644
--- a/src/libstore/globals.hh
+++ b/src/libstore/globals.hh
@@ -203,6 +203,15 @@ struct Settings {
/* Whether the importNative primop should be enabled */
bool enableImportNative;
+ /* List of users that have elevated rights in the Nix daemon, such
+ as the ability to specify additional binary caches, or to
+ import unsigned NARs. */
+ Strings trustedUsers;
+
+ /* List of users that are allowed to connect to the daemon, in
+ addition to the trusted users. These have normal rights. */
+ Strings allowedUsers;
+
private:
SettingsMap settings, overrides;
diff --git a/src/nix-daemon/nix-daemon.cc b/src/nix-daemon/nix-daemon.cc
index fd030fe..dde501d 100644
--- a/src/nix-daemon/nix-daemon.cc
+++ b/src/nix-daemon/nix-daemon.cc
@@ -7,6 +7,8 @@
#include "affinity.hh"
#include "globals.hh"
+#include <algorithm>
+
#include <cstring>
#include <unistd.h>
#include <signal.h>
@@ -18,6 +20,7 @@
#include <fcntl.h>
#include <errno.h>
#include <pwd.h>
+#include <grp.h>
using namespace nix;
@@ -451,7 +454,7 @@ static void performOp(bool trusted, unsigned int
clientVersion,
case wopImportPaths: {
startWork();
TunnelSource source(from);
- Paths paths = store->importPaths(true, source);
+ Paths paths = store->importPaths(!trusted, source);
stopWork();
writeStrings(paths, to);
break;
@@ -770,6 +773,27 @@ static void setSigChldAction(bool autoReap)
}
+bool matchUser(const string & user, const string & group, const Strings &
users)
+{
+ if (find(users.begin(), users.end(), "*") != users.end())
+ return true;
+
+ if (find(users.begin(), users.end(), user) != users.end())
+ return true;
+
+ for (auto & i : users)
+ if (string(i, 0, 1) == "@") {
+ if (group == string(i, 1)) return true;
+ struct group * gr = getgrnam(i.c_str() + 1);
+ if (!gr) continue;
+ for (char * * mem = gr->gr_mem; *mem; mem++)
+ if (user == string(*mem)) return true;
+ }
+
+ return false;
+}
+
+
#define SD_LISTEN_FDS_START 3
@@ -870,9 +894,17 @@ static void daemonLoop()
struct passwd * pw = getpwuid(cred.uid);
string user = pw ? pw->pw_name : int2String(cred.uid);
- if (cred.uid == 0) trusted = true;
+ struct group * gr = getgrgid(cred.gid);
+ string group = gr ? gr->gr_name : int2String(cred.gid);
+
+ if (matchUser(user, group, settings.trustedUsers))
+ trusted = true;
+
+ if (!trusted && !matchUser(user, group, settings.allowedUsers))
+ throw Error(format("user `%1%' is not allowed to connect to
the Nix daemon") % user);
- printMsg(lvlInfo, format("accepted connection from pid %1%, user
%2%") % clientPid % user);
+ printMsg(lvlInfo, format((string) "accepted connection from pid
%1%, user %2%"
+ + (trusted ? " (trusted)" : "")) % clientPid % user);
#endif
/* Fork a child to handle the connection. */
- 65/118: nix-daemon: Only print connection info if we have SO_PEERCRED, (continued)
- 65/118: nix-daemon: Only print connection info if we have SO_PEERCRED, Ludovic Courtès, 2015/05/19
- 72/118: Remove dead code, Ludovic Courtès, 2015/05/19
- 55/118: build-remote.pl: Fix building multiple output derivations, Ludovic Courtès, 2015/05/19
- 59/118: Install systemd and Upstart stuff only on Linux, Ludovic Courtès, 2015/05/19
- 68/118: Ugly hack to fix building on old Darwin, Ludovic Courtès, 2015/05/19
- 64/118: nix-daemon: Fix compat with older clients, Ludovic Courtès, 2015/05/19
- 61/118: Handle case collisions on case-insensitive systems, Ludovic Courtès, 2015/05/19
- 60/118: Make dev-shell script work on Darwin, Ludovic Courtès, 2015/05/19
- 71/118: Revert old useBuildHook behaviour, Ludovic Courtès, 2015/05/19
- 63/118: Get rid of a compiler warning, Ludovic Courtès, 2015/05/19
- 67/118: nix-daemon: Add trusted-users and allowed-users options,
Ludovic Courtès <=
- 70/118: Better fix for strcasecmp on Darwin, Ludovic Courtès, 2015/05/19
- 75/118: Merge commit 'fdee1ced43fb495d612a29e955141cdf6b9a95ba' into nix, Ludovic Courtès, 2015/05/19
- 74/118: Merge commit '8e9140cfdef9dbd1eb61e4c75c91d452ab5e4a74' into nix, Ludovic Courtès, 2015/05/19
- 73/118: startProcess: Make writing error messages from the child more robust, Ludovic Courtès, 2015/05/19
- 69/118: Bump, Ludovic Courtès, 2015/05/19
- 86/118: Add option ‘build-extra-chroot-dirs’, Ludovic Courtès, 2015/05/19
- 76/118: nix-daemon: Simplify stderr handling, Ludovic Courtès, 2015/05/19
- 77/118: nix-daemon: Less verbosity, Ludovic Courtès, 2015/05/19
- 90/118: Remove unnecessary call to addTempRoot(), Ludovic Courtès, 2015/05/19
- 88/118: Move some options out of globals, Ludovic Courtès, 2015/05/19