Skip to content

Commit

Permalink
nixos/networkmanager: remove networking.networkmanager.dynamicHosts
Browse files Browse the repository at this point in the history 
This option was removed because allowing (multiple) regular users to
override host entries affecting the whole system opens up a huge attack
vector. There seem to be very rare cases where this might be useful.
Consider setting system-wide host entries using networking.hosts,
provide them via the DNS server in your network, or use
networking.networkmanager.appendNameservers to point your system to
another (local) nameserver to set those entries.
  • Loading branch information
@flokli
flokli committed Oct 20, 2019
1 parent f702ae1 commit ca6c91e
Show file tree
Hide file tree
Showing 2 changed files with 24 additions and 77 deletions.
14 changes: 13 additions & 1 deletion nixos/doc/manual/release-notes/rl-2003.xml
View file
Expand Up @@ -85,7 +85,19 @@

<itemizedlist>
<listitem>
<para />
<para>
The <literal>dynamicHosts</literal> option has been removed from the
<link linkend="opt-networking.networkmanager.enable">networkd</link>
module. Allowing (multiple) regular users to override host entries
affecting the whole system opens up a huge attack vector.
There seem to be very rare cases where this might be useful.
Consider setting system-wide host entries using
<link linkend="opt-networking.hosts">networking.hosts</link>, provide
them via the DNS server in your network, or use
<link linkend="opt-environment.etc">environment.etc</link>
to add a file into <literal>/etc/NetworkManager/dnsmasq.d</literal>
reconfiguring <literal>hostsdir</literal>.
</para>
</listitem>
</itemizedlist>
</section>
Expand Down
87 changes: 11 additions & 76 deletions nixos/modules/services/networking/networkmanager.nix
View file
Expand Up @@ -17,9 +17,6 @@ let
networkmanager-vpnc
] ++ optional (!delegateWireless && !enableIwd) wpa_supplicant;

dynamicHostsEnabled =
cfg.dynamicHosts.enable && cfg.dynamicHosts.hostsDirs != {};

delegateWireless = config.networking.wireless.enable == true && cfg.unmanaged != [];

enableIwd = cfg.wifi.backend == "iwd";
Expand Down Expand Up @@ -338,55 +335,20 @@ in {
so you don't need to to that yourself.
'';
};

dynamicHosts = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Enabling this option requires the
<option>networking.networkmanager.dns</option> option to be
set to <literal>dnsmasq</literal>. If enabled, the directories
defined by the
<option>networking.networkmanager.dynamicHosts.hostsDirs</option>
option will be set up when the service starts. The dnsmasq instance
managed by NetworkManager will then watch those directories for
hosts files (see the <literal>--hostsdir</literal> option of
dnsmasq). This way a non-privileged user can add or override DNS
entries on the local system (depending on what hosts directories
that are configured)..
'';
};
hostsDirs = mkOption {
type = with types; attrsOf (submodule {
options = {
user = mkOption {
type = types.str;
default = "root";
description = ''
The user that will own the hosts directory.
'';
};
group = mkOption {
type = types.str;
default = "root";
description = ''
The group that will own the hosts directory.
'';
};
};
});
default = {};
description = ''
Defines a set of directories (relative to
<literal>/run/NetworkManager/hostdirs</literal>) that dnsmasq will
watch for hosts files.
'';
};
};
};
};

imports = [
(mkRemovedOptionModule ["networking" "networkmanager" "dynamicHosts"] ''
This option was removed because allowing (multiple) regular users to
override host entries affecting the whole system opens up a huge attack
vector. There seem to be very rare cases where this might be useful.
Consider setting system-wide host entries using networking.hosts, provide
them via the DNS server in your network, or use environment.etc
to add a file into /etc/NetworkManager/dnsmasq.d reconfiguring hostsdir.
'')
];


###### implementation

Expand All @@ -399,12 +361,6 @@ in {
Except if you mark some interfaces as <literal>unmanaged</literal> by NetworkManager.
'';
}
{ assertion = !dynamicHostsEnabled || (dynamicHostsEnabled && cfg.dns == "dnsmasq");
message = ''
To use networking.networkmanager.dynamicHosts you also need to set
`networking.networkmanager.dns = "dnsmasq"`
'';
}
];

environment.etc = with pkgs; [
Expand Down Expand Up @@ -438,12 +394,6 @@ in {
target = "NetworkManager/dispatcher.d/${dispatcherTypesSubdirMap.${s.type}}03userscript${lib.fixedWidthNumber 4 i}";
mode = "0544";
}) cfg.dispatcherScripts
++ optional dynamicHostsEnabled
{ target = "NetworkManager/dnsmasq.d/dyndns.conf";
text = concatMapStrings (n: ''
hostsdir=/run/NetworkManager/hostsdirs/${n}
'') (attrNames cfg.dynamicHosts.hostsDirs);
}
++ optional cfg.enableStrongSwan
{ source = "${pkgs.networkmanager_strongswan}/lib/NetworkManager/VPN/nm-strongswan-service.name";
target = "NetworkManager/VPN/nm-strongswan-service.name";
Expand Down Expand Up @@ -491,21 +441,6 @@ in {

systemd.services.ModemManager.aliases = [ "dbus-org.freedesktop.ModemManager1.service" ];

systemd.services.nm-setup-hostsdirs = mkIf dynamicHostsEnabled {
wantedBy = [ "NetworkManager.service" ];
before = [ "NetworkManager.service" ];
partOf = [ "NetworkManager.service" ];
script = concatStrings (mapAttrsToList (n: d: ''
mkdir -p "/run/NetworkManager/hostsdirs/${n}"
chown "${d.user}:${d.group}" "/run/NetworkManager/hostsdirs/${n}"
chmod 0775 "/run/NetworkManager/hostsdirs/${n}"
'') cfg.dynamicHosts.hostsDirs);
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
};

systemd.services.NetworkManager-dispatcher = {
wantedBy = [ "network.target" ];
restartTriggers = [ configFile ];
Expand Down

0 comments on commit ca6c91e

Please sign in to comment.