Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

searx: allow running on priviledged ports. #91587

Closed
wants to merge 3 commits into from

Conversation

dasj19
Copy link
Contributor

@dasj19 dasj19 commented Jun 26, 2020

Motivation for this change

Added AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; to allow running the service on priviledged ports. (0-1024)

Thanks @mweinelt for pointing that out. I changed this PR to the new strategy for allowing priviledged ports.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

CC @rnhmjoj

@dasj19 dasj19 changed the title Added user option to searx. searx: added user option Jun 26, 2020
Copy link
Member

@mweinelt mweinelt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of running searx as root you should add CAP_NET_BIND_SERVICE if you want it to run on a privileged port. Running it as root gives it far too many capabilities by default.

@dasj19 dasj19 changed the title searx: added user option searx: allow running on priviledged ports. Jun 26, 2020
@dasj19
Copy link
Contributor Author

dasj19 commented Jun 26, 2020

@mweinelt I modified the PR to reflect your suggestion, thanks for pointing it out. Did not know about it.

uid = config.ids.uids.searx;
description = "Searx user";
createHome = true;
home = "/var/lib/searx";
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You should use the systemd StateDirectory mechanism, instead.
Basically, remove the two lines here and add a serviceConfig.StateDirectory = "searx";, this will create a directory with the right permissions.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done, thanks for the tip.

@dasj19 dasj19 requested a review from rnhmjoj June 27, 2020 12:25
@dasj19
Copy link
Contributor Author

dasj19 commented Jun 27, 2020

a bit offtopic... how do we also facilitate running searx under https with letsencrypt?

@rnhmjoj
Copy link
Contributor

rnhmjoj commented Jun 27, 2020

I run searx and my setup is based on nginx as a reverse proxy. The nginx module integrates ACME via the option services.nginx.virtualHosts.<name>.enableACME. You could implement ACME support in searx without httpd or nginx but it's not probably worth it. Also I don't trust the searx internal webserver enough to expose it without a proxy.

@dasj19
Copy link
Contributor Author

dasj19 commented Jun 29, 2020

@rnhmjoj Can we close this if you mean it is ready-to-go, I'll try to use searx with a proxy.
I tried to squash the commits but without luck. If you know the how-tos of squashing can you please share. Thanks

@rnhmjoj
Copy link
Contributor

rnhmjoj commented Jun 29, 2020

Yeah, it looks good to me.

To squash the commits you should do an interactive rebase. If you've never used it before, here's how it works: you need to edit the last 4 commits of your branch history, so run

$ git rebase -i HEAD~4

This will open a file in your text editor containing the list of the commits and some instructions, you should read them.
You basically want to merge the first three commits into one, giving it a new message and keeping the last one as-is. To do that use reword on the first, fixup on the next two and leave pick on the last one.
When done save, exit the editor and check with git log -p if everything is all right.

If you mess up, use git reflog to undo the rebase, otherwise git push --force.

@@ -66,6 +64,9 @@ in
serviceConfig = {
User = "searx";
ExecStart = "${cfg.package}/bin/searx-run";
StateDirectory = "searx";
# Allow running the service on priviledged ports.
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure if we want to raise that capability for everyone using searx (AFAICS we don't do it that often for web-services atm).

If you prefer that kind of solution you can still modify the service in your configuration.nix:

{
  services.searx.enable = true;
  systemd.services.searx.serviceConfig.AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
}

Copy link
Contributor Author

@dasj19 dasj19 Jul 1, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, got it... I managed to use searx as a proxy with apache, so I don't need a priviledged port either.

  # Startup a searx server.
  services.searx.enable = true;
  services.searx.configFile = "/etc/nixos/searx-config.yml";

 # Apache httpd server configuration.
  services.httpd.enable = true;
  services.httpd.package = pkgs.apacheHttpd_2_4;
  services.httpd.extraModules = [ "headers" "proxy" "proxy_http" ];
  services.httpd.virtualHosts."searx.example.com" = {
    extraConfig = ''
      ProxyPass "/" "http://127.0.0.1:8100/"
      ProxyPassReverse "/" "http://127.0.0.1:8100/"
    '';
  };

@dasj19
Copy link
Contributor Author

dasj19 commented Jul 4, 2020

Since there is no longer a need for the searx service to run directly on privileged ports, I close this PR as it does not bring anything of value code-wise. The discussion is valuable and should be somehow extracted into some form of documentation.

@dasj19 dasj19 closed this Jul 4, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

6 participants