Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Disclaimer
Please note that I've discovered
knot
yesterday and thus don't know it well at all. I'm just hacking my way to make it work, and thus this PR may not be the right thing to do.Motivation for this change
NixOS'
services.knot
module currently uses systemd's DynamicUser coupled withStateDirectory
, butknotd
is not the only executable which must be able to operate on theStateDirectory
,keymgr
must too be able to manage keys within it.keymgr
could be run asroot
but then the permissions of the keys wouldn't be right forknotd
. In some conditionDynamicUser
can run a recursivechown
but it would be at the restart of service and AFAIU, only if theStateDirectory
is owned by the wrong user, but here this is the sub directorykeys/
which is would be owned byroot
and notknot
.Things done
This patch wraps
keymgr
withsystemd-run --pipe --uid knot -p DynamicUser=yes -p StateDirectory=knot
to run it with the proper mount namespace allowing it to reach/var/lib/private/knot
, bypassing the/var/lib/private/
protection restricted toroot
by theDynamicUser
machinery.This workaround still has the (minor) inconvenient to require to run
keymgr
asroot
.--working-directory="$PWD"
is also use to be able to give relative paths tokeymgr
(eg. forimport-bind
) but this may fail if the current directory is not accessible to theknot
dynamic user (even if it's just akeymgr $zone list
).Alternatives
Use a SETGID bit
I've not tested it but I thought that if
StateDirectoryMode = "2770"
instead of0700
then theknot
group will be inherited by sub dirs and files, and thus runningkeymgr
asroot
shouldn't be a problem. However ifkasp/data.mdb
isrw
by the group it is not the case ofkasp/keys/
which is created with different rights for the user and the group, the later is not allowed to write in it, thus automatic key generation byknotd
may not work as expected (it won't be able to write/delete thekeys/*.pem
files). Maybe this could be worked around by wrappingkeymgr
with aumask 007
or achmod -R g+w
afterward.Remove
DynamicUser
I'm proposing this patch which assumes that there is a good reason to use
DynamicUser
and thus keep it, but I don't understand the benefit ofDynamicUser
forknotd
, why not using a fixed system user like other NixOS services do?AFAICS this alternative would be better for me as this would also let me open the OUTPUT firewall chain only for this
knot
system user (so it can notify the DNS slave servers) :Currently I must open the firewall for all users, and can only specify the IP address of the DNS slave servers:
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)