Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nixos/dnsdist: Add CAP_NET_BIND_SERVICE to AmbientCapabilities #71576

Merged
merged 1 commit into from
Nov 8, 2019
Merged

nixos/dnsdist: Add CAP_NET_BIND_SERVICE to AmbientCapabilities #71576

merged 1 commit into from
Nov 8, 2019
+2 −3

Conversation

ShaRose
Copy link
Contributor

@ShaRose ShaRose commented Oct 21, 2019

Motivation for this change

It seems that dnsdist doesn't actually request CAP_NET_BIND_SERVICE, which is why normally it's executed and root and changes uid to another, unprivileged, user. This means that as it is, dnsdist will be unable to bind to any port under 1024 and will fail with access denied.

Removing CAP_SETGID and CAP_SETUID is also related to this as we don't actually change the uid or gid as we use DynamicUser. (That part isn't strictly NEEDED but there's no reason to have those capabilities if we don't use them).

There are also some additional sandboxing we can remove from the service definition as they are assumed true or strict by DynamicUser: specifically PrivateTmp and ProtectSystem respectively.

ProtectHome is still there, despite being assumed read-only as setting it to true means they are seen as empty. I don't think it really matters as I don't know if systemd will ignore it or not, but I didn't see any reason to go hunting for excuses to make it a bigger change.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nix-review --run "nix-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.
Notify maintainers

cc @ disassembler

Sorry, something went wrong.

@ofborg ofborg bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux labels Oct 21, 2019
infinisil
infinisil approved these changes Oct 29, 2019
View reviewed changes
Copy link
Member

@infinisil infinisil left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking good ✨

@infinisil
Copy link
Member

Can you prefix the commit message with "nixos/dnsdist: " as is convention?

@ShaRose
Copy link
Contributor Author

ShaRose commented Oct 31, 2019

Sorry it took so long, but I've got it prefixed now.

@infinisil
Copy link
Member

You have three commits in this PR now, should only be a single one, so use rebasing + force pushing instead of merging

@ShaRose
nixos/dnsdist: Add CAP_NET_BIND_SERVICE to AmbientCapabilities
9e2308e 
It seems that dnsdist doesn't actually request CAP_NET_BIND_SERVICE, which is why normally it's executed and root and setuids to another, unprivileged, user. This means that as it is, dnsdist will be unable to bind to any port under 1024 and will fail with access denied.

Removing CAP_SETGID and CAP_SETUID is also related to this as we don't actually change the uid or gid after the fact as we use DynamicUser. (That part isn't strictly NEEDED but there's no reason to have those capabilities if we don't use them).

There are also some additional sandboxing we can remove from the service definition as they are assumed true or strict by DynamicUser: specifically PrivateTmp and ProtectSystem respectively.

ProtectHome is still there, despite being assumed read-only as setting it to true means they are seen as empty. I don't think it really matters as I don't know if systemd will ignore it or not, but I didn't see any reason to go hunting for excuses to make it a bigger change.
@ShaRose
Copy link
Contributor Author

ShaRose commented Oct 31, 2019

Well, at least I'm learning more about git while trying to get this in. (Also to make sure to prefix commit messages).

@infinisil infinisil merged commit 3022fde into NixOS:master Nov 8, 2019
@ShaRose ShaRose deleted the patch-1 branch November 8, 2019 23:23
@Janik-Haag Janik-Haag added the 12. first-time contribution This PR is the author's first one; please be gentle! label Jun 12, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@infinisil infinisil

Assignees
No one assigned
Labels
6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux 12. first-time contribution This PR is the author's first one; please be gentle!
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@ShaRose @infinisil @Janik-Haag