New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
Tidy up and comment daemon CLI #8180
Tidy up and comment daemon CLI #8180
Conversation
764b711
to
aca1cd8
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just something I noticed about processStdioConnection
now that it's a bit more independent.
Not an urgent issue because it's static (for now!) and clients knowing their trustedness is a new thing, but would prefer not to have latent problems either.
/* Auth hook is empty because in this mode we blindly trust the | ||
standard streams. Limiting access to those is explicitly | ||
not `nix-daemon`'s responsibility. */ | ||
processConnection(store, from, to, Trusted, NotRecursive); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Instead of documenting a limitation, I think we could make it work.
processConnection(store, from, to, Trusted, NotRecursive); | |
processConnection(store, from, to, store->isTrustedClient(), NotRecursive); |
The point of this mode of operation is that we forward everything, so that should probably include informing the client about their trustedness correctly.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I actually went with the first one for 3 reasons:
- I hope this can be a pure refactor and not change any behavior.
- I don't think that change is enough to warrant removing the note: in the case where the underlying store is a
LocalStore
, for example, it will blindly returnTrusted
. So standard streams + non-RemoteStore
still means an invalidated client. - It is good to kindly ferry along the whether the "next" store trusts the client, but we could do that in both the stdio and non-stdio cases.
So bottom line is I think this is a good idea, but it deserves is own follow-up PR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also I remembered that the way it works today is that the trusting of operations in processConnection
is based solely on this parameter, but the trusting status returned to the client already takes store->isTrustedClient()
into account.
That means in a chained daemon situation that even if an intermediate daemon trusts the the client (and doesn't block any request) the result of store->isTrustedClient()
is still the intersection of the trust of each link in the chain.
I actually think that might be good semantics:
- Don't block requests on behalf of another store further down the chain, let the first untrusting store do the blocking.
- Do accurately report to the eventual client whether privileged requests will actually go all the way through.
7908d7a
to
bd35d19
Compare
Some of the factoring out was taken from NixOS#7912 by @mupdt. Thanks! No behavior should be changed in this commit. Co-Authored-By: mupdt <25388474+mupdt@users.noreply.github.com> Co-authored-by: Robert Hensing <roberth@users.noreply.github.com>
bd35d19
to
8f44edc
Compare
Motivation
This is somewhat overkill as none of these functions are public a header, but I just like making all the code really nice and pretty :).
I hope the next person to touch this code will benefit.
Context
Some of the factoring out was taken from #7912 by @mupdt. Thanks!
Checklist for maintainers
Maintainers: tick if completed or explain if not relevant
tests/**.sh
src/*/tests
tests/nixos/*
Priorities
Add 馃憤 to pull requests you find important.