New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/syncoid: enable N:N dataset mappings #147559
Conversation
0deb508
to
6713670
Compare
Are all sends still done in parallel? I'm observing this ZFS bug after updating to 21.11. |
@numinit, yes, nothing change for that: each entry in |
@ju1m Gotcha. I may have an API idea for how to allow users to run certain sends in series, I'll toy around with it. Going from all in series to all in parallel was some whiplash for my particular setup and I'm not sure if it was documented anywhere. |
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry for ignoring this PR, but I have started to feel like I can't keep up with the changes to this module.
Perhaps this is explained in some previous discussion, but what do you mean by N:N dataset mappings? Could you provide an example config, and perhaps add it to the NixOS test?
I also am concerned about how DynamicUser interacts with delegated permissions. What happens if the power fails or the machine crashes in the middle of running syncoid? Wouldn't that cause the permissions to never be removed, and potentially later given to another DynamicUser service that reuses the same UID?
About
|
Thanks for the explanation and the test! Regarding the UID issue, I'm not totally comfortable with relying on "likely" behavior for security. The blog post you linked describes UID reuse as a performance optimization, rather than guaranteed behavior. In the documentation, the sentence after the one you quoted specifically notes reuse is not guaranteed: "Care should be taken that any processes running as part of a unit for which dynamic users/groups are enabled do not leave files or directories owned by these users/groups around, as a different unit might get the same UID/GID assigned later on, and thus gain access to these files or directories." Turning this into an exploitable vulnerability requires a combination of several seemingly unlikely scenarios, but many attacks consist of methods of turning unlikely events into likely ones. Therefore, I don't feel comfortable approving this PR yet. Ideally we could find some solution to truly fix the problem, but at least I would like feedback from others on this issue. |
@lopsided98 yes it's a "likely", but please let's dive in a bit to understand why. I hope that I won't make too many mistakes nor make it too hard to follow. AFAIU, the stability of the UID/GID is not the side-effect of a secondary performance optimization, it is a conscious goal to minimize the number of chown()s on directories like The current logic (in
So, AFAIU, to cause a security problem one would need to:
Possible mitigations
|
Thank you for looking into this. I now agree that the risk seems acceptable, although I'd still like someone else to concur (I can't merge, so that's pretty much inevitable anyway). |
|
We're locking and closing this pull request, because through the rebase you inadvertently requested many maintainers for review, which subscribed them to update notifications, resulting in unnecessary spam inside everyone's inbox. While we can remove their review requests, we sadly cannot unsubscribe anyone. Please create a new pull request and for the next time remember to set your PR to draft status before rebasing. In draft status, you can preview the list of maintainers that are about to be requested for review, which allows you to sidestep this issue. |
This PR is ready for reviews.
Motivation for this change
As proposed in a past comment, this PR changes the
syncoid.service
so that it usesDynamicUser=
.This move to
DynamicUser=
should safely allow (to the best of my knowledge, but please double check) to send the same dataset to multiple targets.Things done
TZ
envvar@timer
syscallsdestroy
tolocalTargetAllow
's defaultDynamicUser=
nftables
is enabled, the set@nixos-syncoid-uids
can be used for UID-based dynamic egress filtering of the SSH connections.ExecStartPre=
(resp.ExecStopPost=
) will add (resp. remove) in that set the dynamic UID of thesyncoid
process so that it can be used with something like:networking.nftables.ruleset = "table inet filter { chain output-net { skuid @nixos-syncoid-uids meta l4proto tcp accept } }";
ssh
is hacked usingBindReadOnlyPaths=
to workaround a bug inbash
's ownmalloc
implementation bash: update patches #146463 (comment) , this could be removed after 2ef6252 has hitmaster
.syncoid
: makembuffer
andlzop
findable overssh
.sandbox = true
set innix.conf
? (See Nix manual)nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"
. Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/
)nixos/doc/manual/md-to-db.sh
to update generated release notes