New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/gitea: allow setuid/setgid syscalls #103910
Conversation
This removes `setuid` from the list of disallowed syscall categories for the Gitea service, which is necessary for sendmail integration with opensmtpd (and possibly other MTAs) to work. Without this fix, opensmtpd would coredump with a SIGSYS signal when attempting to send a notification e-mail from Gitea.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good and reasonable
Very related: #103446 |
@@ -542,7 +542,7 @@ in | |||
PrivateMounts = true; | |||
# System Call Filtering | |||
SystemCallArchitectures = "native"; | |||
SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @resources @setuid @swap"; | |||
SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @resources @swap"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should probably be made conditional on whether MAILER = "sendmail"
because when using smtp there is no need to allow setuid
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@joepie91 are you able to take care of this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Missed the comment, sorry. Unfortunately not able to handle this right now - I'll likely be stuck in construction noise for the next couple of weeks...
Any interest in continuing with this? |
I marked this as stale due to inactivity. → More info |
ping @joepie91 |
I have ran into a similar problem with nullmailer and sendmail and it turns out that either we would need to reduce the hardening of gitea to almost zero or as an alternative use #231673 in combination with giving gitea the nullmailer group. Since this PR is quite old, stale and would require more work I am going to close it. |
Motivation for this change
This removes
setuid
from the list of disallowed syscall categories for the Gitea service, which is necessary for sendmail integration with opensmtpd (and possibly other MTAs) to work. Without this fix, opensmtpd would coredump with a SIGSYS signal when attempting to send a notification e-mail from Gitea.Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)Tested this by applying the change as a
mkForce
override in my system configuration.