Skip to content

nixos/nfsd: run rpc-statd as a normal user #96844

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 9, 2020
Merged

nixos/nfsd: run rpc-statd as a normal user #96844

merged 1 commit into from
Sep 9, 2020
+34 −35

Conversation

peterhoeg
Copy link
Member

Motivation for this change

Instead of running it as root, use a dedicated user.

Been running with it here for a while without any issues.

Closes #63756

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

Sorry, something went wrong.

@ofborg ofborg bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux labels Aug 31, 2020
@aanderse
Copy link
Member

Out of curiosity what user does this run on other distros like Arch, Debian, Gentoo, RedHat, etc...?

@peterhoeg
Copy link
Member Author

peterhoeg commented Aug 31, 2020 via email

@aanderse
Copy link
Member

aanderse commented Sep 1, 2020

This is somewhat confusing if you aren't familiar with the internals of nfs. Since you aren't running the service as the statd user the module simply appears to be creating a user for no apparent reason (if you don't know that rpc.statd will drop privileges based on the ownership of a directory, which I did not know). A comment would go a long way.

If we look at the mkdir usage in the preStart this starts to look like a mild security concern. If /var/lib/nfs is blown away for some reason and tmpfiles doesn't have a chance to run then the mkdir command will create directories owned by root and we're back to the (bad) situation the module is currently in. I would recommend removing all (or at least as much) usage of mkdir as possible here in favour of another solution (like tmpfiles.rules). It would become even easier if we made an attribute set to replace the exports option... but now I'm starting to make massive scope creep on this PR 😆

If we merge this PR now as is would you have capacity to either work on or review a PR which replaced the exports option with an attribute set?

@peterhoeg peterhoeg force-pushed the m/nfs branch 2 times, most recently from aea3ef7 to b3596db Compare September 6, 2020 13:51
@peterhoeg
Copy link
Member Author

Very good points - I totally missed those mkdirs @aanderse. It's been cleaned up now and some docs added too.

aanderse
aanderse reviewed Sep 6, 2020
View reviewed changes
nixos/modules/services/network-filesystems/nfsd.nix Outdated
# /var/lib/nfs
systemd.tmpfiles.rules = [
"d /var/lib/nfs 0700 ${rpcUser} ${rpcUser} - -"
"d /var/lib/nfs/recovery 0755 root root - -"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this throw a silent runtime error with systemd-tmpfiles stating unsafe transition? I'm thinking it will... 🤔

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why would it do that?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

systemd/systemd#13052 (comment)

@peterhoeg
Copy link
Member Author

Found another mkdir invocation which is now gone.

@peterhoeg peterhoeg closed this Sep 7, 2020
@peterhoeg peterhoeg deleted the m/nfs branch September 7, 2020 12:16
@peterhoeg peterhoeg restored the m/nfs branch September 7, 2020 12:19
@peterhoeg
Copy link
Member Author

It works here though. I just tried shutting down the nfs service, remove the directory and reboot the nas. This is what is created:

# ls -la nfs
total 8
drwx------  1 statd statd 132 Sep  7 20:22 .
drwxr-xr-x  1 root  root  256 Sep  7 20:22 ..
-rw-r--r--  1 root  root  207 Sep  7 20:22 etab
-rw-------  1 root  root    0 Sep  7 20:22 .etab.lock
-rw-r--r--  1 root  root    0 Sep  7 20:22 export-lock
drwxr-xr-x  1 root  root    0 Sep  7 20:22 recovery
dr-xr-xr-x 11 root  root    0 Sep  7 20:22 rpc_pipefs
drwxr-xr-x  1 root  root    0 Sep  7 20:22 sm
drwxr-xr-x  1 root  root    0 Sep  7 20:22 sm.bak
-rw-r--r--  1 root  root    4 Sep  7 20:22 state
drwxr-xr-x  1 root  root    0 Sep  7 20:22 v4recovery

@peterhoeg peterhoeg reopened this Sep 7, 2020
@peterhoeg
Copy link
Member Author

This is admittedly with this PR applied to 20.03 which uses systemd 243. I don't know if anything changed since then.

aanderse
aanderse approved these changes Sep 8, 2020
View reviewed changes
Copy link
Member

@aanderse aanderse left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great, glad to hear this is fine. I can't recall the details of what systemd classifies as an unsafe transition but this is working so... LGTM 👍

@peterhoeg
Copy link
Member Author

@GrahamcOfBorg eval

@peterhoeg peterhoeg merged commit 42eebd7 into NixOS:master Sep 9, 2020
@peterhoeg peterhoeg deleted the m/nfs branch September 9, 2020 01:10
@peterhoeg peterhoeg mentioned this pull request Sep 9, 2020
Closed
10 tasks
@vcunat
Copy link
Member

vcunat commented Sep 10, 2020

This merge breaks a test #97582 (I checked a local revert). Unless we have a fix very soon (say, today), I suggest to revert it until the issue is resolved.

@peterhoeg peterhoeg mentioned this pull request Sep 10, 2020
Closed
10 tasks
vcunat added a commit that referenced this pull request Sep 10, 2020
@vcunat
Revert "Merge #96844: nixos/nfsd: run rpc-statd as a normal user"

Verified

This commit was signed with the committer’s verified signature.
vcunat Vladimír Čunát
GPG key ID: E747DF1F9575A3AA
Verified
Learn about vigilant mode
538e558 
This reverts commit 42eebd7, reversing
changes made to b169bfc.

This breaks nfs3.simple test and even current PR #97656 wouldn't fix it.
Therefore let's revert for now to unblock the channels.
@peterhoeg
Copy link
Member Author

Thanks for handling this - things were working perfectly fine here. I'll get this fixed later.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aanderse aanderse

Assignees
No one assigned
Labels
6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

rpc.statd runs as root - it shouldn't
3 participants
@peterhoeg @aanderse @vcunat