Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dont use nogroup for networkd, resolved and timesyncd #74084

Merged
merged 4 commits into from Nov 25, 2019
Merged

dont use nogroup for networkd, resolved and timesyncd #74084

merged 4 commits into from Nov 25, 2019

Conversation

WilliButz
Copy link
Member

Motivation for this change

At the networkd sprint, I switched from scripted networking to networkd and stumbled over some things, one of them being that currently systemd-networkd.service runs as systemd-network:nogroup.
The upstream service file only specifies the User option and we didn't manually add the systemd-network user to the group with the same name, even though it is already defined in nixpkgs.

I noticed this when I added a wireguard interface to my configuration and wanted to pass the private key for an interface as a file, to avoid adding it to the nix store.
The following is taken from the [Wireguard] section of systemd.netdev(5):

PrivateKeyFile=
           Takes an absolute path to a file which contains the Base64 encoded private key for the interface. When this option is specified, then PrivateKey= is ignored. Note that the file must be readable by the user "systemd-network", so it should be, e.g., owned by
           "root:systemd-network" with a "0640" file mode.

Looking at /run/systemd/, I noticed that this also happened for resolved and timesyncd.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nix-review --run "nix-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

cc #55370

@WilliButz
Copy link
Member Author

@GrahamcOfBorg test systemd-networkd-wireguard
@GrahamcOfBorg test systemd-timesyncd

@flokli flokli self-requested a review November 24, 2019 22:04
flokli
flokli requested changes Nov 25, 2019
View reviewed changes
Copy link
Contributor

@flokli flokli left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@WilliButz can we update nixos/tests/systemd-networkd-wireguard.nix to restrict permissions of the PrivateKeyFile used there to that specific user?

We could use systemd.tmpfiles.rules with Type f to create the keyfile somewhere outside the nix store with restricted permissions.

That way, the nixos vm test should catch the current bug this PR would fix.

@WilliButz
Copy link
Member Author

@flokli sure, sounds good. I'll add it in about an hour 👍

@WilliButz
nixos/networkd: add systemd-network user to group systemd-network
b79e3e6
@WilliButz
nixos/resolved: add user systemd-resolve to group systemd-resolve
2ffb2c0
@WilliButz
nixos/timesyncd: add user systemd-timesync to group systemd-timesync
fc91467
@WilliButz
tests/systemd-networkd: add regression test for service group
ec16f4f 
Previously systemd-networkd.service ran as systemd-network:nogroup.
The wireguard private key file is now owned by root:systemd-network with
mode 0640. It is therefore required that the systemd-network user is in the group
with the same name, so that it is able to read the key file.
@WilliButz WilliButz force-pushed the systemd-services/use-correct-groups branch from b9bca13 to ec16f4f Compare November 25, 2019 09:48
@WilliButz
Copy link
Member Author

@flokli updated the test.
@GrahamcOfBorg test systemd-networkd-wireguard

(cc @NinjaTrappeur)

@flokli flokli merged commit e6aba99 into NixOS:master Nov 25, 2019
@WilliButz WilliButz deleted the systemd-services/use-correct-groups branch November 25, 2019 19:51
@bluescreen303
Copy link
Contributor

bluescreen303 commented Jan 4, 2020
edited

as a consequence of this PR, I seem to now have a resolved user at id 1001, overlapping with a normal user account:

mathijs:x:1001:100:Mathijs Kwik:/home/mathijs:/run/current-system/sw/bin/zsh
resolved:x:1001:153::/var/empty:/run/current-system/sw/bin/nologin

I'm using users.mutableUsers = false.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@flokli flokli flokli approved these changes

@Ma27 Ma27 Ma27 approved these changes

Assignees
No one assigned
Labels
6.topic: nixos 8.has: module (update) 10.rebuild-darwin: 0 10.rebuild-linux: 0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@WilliButz @bluescreen303 @flokli @Ma27