Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nixos/gitea: allow setuid/setgid syscalls #103910

Closed
wants to merge 1 commit into from
Closed

nixos/gitea: allow setuid/setgid syscalls #103910

wants to merge 1 commit into from

Conversation

joepie91
Copy link
Contributor

Motivation for this change

This removes setuid from the list of disallowed syscall categories for the Gitea service, which is necessary for sendmail integration with opensmtpd (and possibly other MTAs) to work. Without this fix, opensmtpd would coredump with a SIGSYS signal when attempting to send a notification e-mail from Gitea.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

Tested this by applying the change as a mkForce override in my system configuration.

@joepie91
nixos/gitea: allow setuid/setgid syscalls
6bab91b 
This removes `setuid` from the list of disallowed syscall categories for the Gitea service,
which is necessary for sendmail integration with opensmtpd (and possibly
other MTAs) to work. Without this fix, opensmtpd would coredump with a SIGSYS signal
when attempting to send a notification
e-mail from Gitea.
@aanderse aanderse requested review from srhb, Ma27 and dasJ December 2, 2020 13:28
@aanderse aanderse added the 9.needs: port to stable A PR needs a backport to the stable release. label Dec 2, 2020
dasJ
dasJ approved these changes Dec 2, 2020
View reviewed changes
Copy link
Member

@dasJ dasJ left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good and reasonable

@hmenke
Copy link
Member

hmenke commented Dec 13, 2020

Very related: #103446

hmenke
hmenke suggested changes Dec 13, 2020
View reviewed changes
nixos/modules/services/misc/gitea.nix
@@ -542,7 +542,7 @@ in
PrivateMounts = true;
# System Call Filtering
SystemCallArchitectures = "native";
SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @resources @setuid @swap";
SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @resources @swap";
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should probably be made conditional on whether MAILER = "sendmail" because when using smtp there is no need to allow setuid.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@joepie91 are you able to take care of this?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missed the comment, sorry. Unfortunately not able to handle this right now - I'll likely be stuck in construction noise for the next couple of weeks...

@aanderse
Copy link
Member

aanderse commented Jun 5, 2021

Any interest in continuing with this?

@stale
Copy link

stale bot commented Jan 9, 2022

I marked this as stale due to inactivity. → More info

@stale stale bot added the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Jan 9, 2022
@SuperSandro2000
Copy link
Member

ping @joepie91

@SuperSandro2000
Copy link
Member

I have ran into a similar problem with nullmailer and sendmail and it turns out that either we would need to reduce the hardening of gitea to almost zero or as an alternative use #231673 in combination with giving gitea the nullmailer group. Since this PR is quite old, stale and would require more work I am going to close it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aanderse aanderse aanderse left review comments

@hmenke hmenke hmenke requested changes

@dasJ dasJ dasJ approved these changes

@Ma27 Ma27 Ma27 approved these changes

@srhb srhb Awaiting requested review from srhb

Assignees
No one assigned
Labels
2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md 6.topic: nixos 8.has: module (update) 9.needs: port to stable A PR needs a backport to the stable release. 10.rebuild-darwin: 0 10.rebuild-linux: 0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@joepie91 @hmenke @aanderse @SuperSandro2000 @dasJ @Ma27