New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
dont use nogroup for networkd, resolved and timesyncd #74084
dont use nogroup for networkd, resolved and timesyncd #74084
Conversation
@GrahamcOfBorg test systemd-networkd-wireguard |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@WilliButz can we update nixos/tests/systemd-networkd-wireguard.nix
to restrict permissions of the PrivateKeyFile
used there to that specific user?
We could use systemd.tmpfiles.rules
with Type f
to create the keyfile somewhere outside the nix store with restricted permissions.
That way, the nixos vm test should catch the current bug this PR would fix.
@flokli sure, sounds good. I'll add it in about an hour 👍 |
Previously systemd-networkd.service ran as systemd-network:nogroup. The wireguard private key file is now owned by root:systemd-network with mode 0640. It is therefore required that the systemd-network user is in the group with the same name, so that it is able to read the key file.
b9bca13
to
ec16f4f
Compare
@flokli updated the test. (cc @NinjaTrappeur) |
as a consequence of this PR, I seem to now have a
I'm using |
Motivation for this change
At the networkd sprint, I switched from scripted networking to networkd and stumbled over some things, one of them being that currently
systemd-networkd.service
runs assystemd-network:nogroup
.The upstream service file only specifies the
User
option and we didn't manually add thesystemd-network
user to the group with the same name, even though it is already defined in nixpkgs.I noticed this when I added a wireguard interface to my configuration and wanted to pass the private key for an interface as a file, to avoid adding it to the nix store.
The following is taken from the
[Wireguard]
section ofsystemd.netdev(5)
:Looking at
/run/systemd/
, I noticed that this also happened forresolved
andtimesyncd
.Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nix-review --run "nix-review wip"
./result/bin/
)nix path-info -S
before and after)cc #55370