Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

dont use nogroup for networkd, resolved and timesyncd #74084

Merged
merged 4 commits into from Nov 25, 2019

Conversation

@WilliButz
Copy link
Member

WilliButz commented Nov 24, 2019

Motivation for this change

At the networkd sprint, I switched from scripted networking to networkd and stumbled over some things, one of them being that currently systemd-networkd.service runs as systemd-network:nogroup.
The upstream service file only specifies the User option and we didn't manually add the systemd-network user to the group with the same name, even though it is already defined in nixpkgs.

I noticed this when I added a wireguard interface to my configuration and wanted to pass the private key for an interface as a file, to avoid adding it to the nix store.
The following is taken from the [Wireguard] section of systemd.netdev(5):

PrivateKeyFile=
           Takes an absolute path to a file which contains the Base64 encoded private key for the interface. When this option is specified, then PrivateKey= is ignored. Note that the file must be readable by the user "systemd-network", so it should be, e.g., owned by
           "root:systemd-network" with a "0640" file mode.

Looking at /run/systemd/, I noticed that this also happened for resolved and timesyncd.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nix-review --run "nix-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

cc #55370

@WilliButz
Copy link
Member Author

WilliButz commented Nov 24, 2019

@GrahamcOfBorg test systemd-networkd-wireguard
@GrahamcOfBorg test systemd-timesyncd

@flokli flokli self-requested a review Nov 24, 2019
@flokli
flokli approved these changes Nov 24, 2019
@Ma27
Ma27 approved these changes Nov 24, 2019
Copy link
Contributor

flokli left a comment

@WilliButz can we update nixos/tests/systemd-networkd-wireguard.nix to restrict permissions of the PrivateKeyFile used there to that specific user?

We could use systemd.tmpfiles.rules with Type f to create the keyfile somewhere outside the nix store with restricted permissions.

That way, the nixos vm test should catch the current bug this PR would fix.

@WilliButz
Copy link
Member Author

WilliButz commented Nov 25, 2019

@flokli sure, sounds good. I'll add it in about an hour 👍

WilliButz added 4 commits Nov 24, 2019
Previously systemd-networkd.service ran as systemd-network:nogroup.
The wireguard private key file is now owned by root:systemd-network with
mode 0640. It is therefore required that the systemd-network user is in the group
with the same name, so that it is able to read the key file.
@WilliButz WilliButz force-pushed the WilliButz:systemd-services/use-correct-groups branch from b9bca13 to ec16f4f Nov 25, 2019
@WilliButz
Copy link
Member Author

WilliButz commented Nov 25, 2019

@flokli updated the test.
@GrahamcOfBorg test systemd-networkd-wireguard

(cc @NinjaTrappeur)

@flokli
flokli approved these changes Nov 25, 2019
@flokli flokli merged commit e6aba99 into NixOS:master Nov 25, 2019
14 checks passed
14 checks passed
Evaluation Performance Report Evaluator Performance Report
Details
grahamcofborg-eval ^.^!
Details
grahamcofborg-eval-check-meta config.nix: checkMeta = true
Details
grahamcofborg-eval-darwin nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./pkgs/top-level/release.nix -A darwin-tested
Details
grahamcofborg-eval-nixos nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./nixos/release-combined.nix -A tested
Details
grahamcofborg-eval-nixos-manual nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./nixos/release.nix -A manual
Details
grahamcofborg-eval-nixos-options nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./nixos/release.nix -A options
Details
grahamcofborg-eval-nixpkgs-manual nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./pkgs/top-level/release.nix -A manual
Details
grahamcofborg-eval-nixpkgs-tarball nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./pkgs/top-level/release.nix -A tarball
Details
grahamcofborg-eval-nixpkgs-unstable-jobset nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./pkgs/top-level/release.nix -A unstable
Details
grahamcofborg-eval-package-list nix-env -qa --json --file .
Details
grahamcofborg-eval-package-list-no-aliases nix-env -qa --json --file . --arg config { allowAliases = false; }
Details
tests.systemd-networkd-wireguard on aarch64-linux Success
Details
tests.systemd-networkd-wireguard on x86_64-linux Success
Details
@WilliButz WilliButz deleted the WilliButz:systemd-services/use-correct-groups branch Nov 25, 2019
@bluescreen303
Copy link
Contributor

bluescreen303 commented Jan 4, 2020

as a consequence of this PR, I seem to now have a resolved user at id 1001, overlapping with a normal user account:

mathijs:x:1001:100:Mathijs Kwik:/home/mathijs:/run/current-system/sw/bin/zsh
resolved:x:1001:153::/var/empty:/run/current-system/sw/bin/nologin

I'm using users.mutableUsers = false.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

4 participants
You can’t perform that action at this time.