Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Experiment] Separate security wrappers from NixOS #60289

Closed
wants to merge 1 commit into from
Closed

[Experiment] Separate security wrappers from NixOS #60289

wants to merge 1 commit into from

Conversation

infinisil
Copy link
Member

@infinisil infinisil commented Apr 26, 2019
edited

Motivation for this change

Recently I had to use a nix-shell that installs setuid wrappers for some package-specific dependencies. Because the security wrapper logic was so deeply embedded in NixOS, I had to use NixOS to make the nix-shell work.

This change allows you to set up security wrappers in your nix-shells with the same functionality as in NixOS. E.g. this should work:

pkgs.stdenv.mkDerivation {
  # ...
  shellHook = ''
    sudo ${pkgs.security-wrappers {
        wrapperDir = toString ./wrappers/bin;
        wrappers = {
          fusermount.source = "${pkgs.fuse}/bin/fusermount";
        };
    }}/bin/setup
    export PATH="${toString ./wrappers/bin}:$PATH"
  '';
}

Or this is how you could build it directly:

nix-build '<nixpkgs>' -A security-wrapper --arg wrappers '{ fusermount.source = "${(import <nixpkgs> {}).fuse}/bin/fusermount"; }' --arg wrapperDir "toString $PWD/wrappers/bin"

Only very minimal tests were done, but it seems to work just fine. If anybody needs it, here you go.

I also made minor changes like quoting all bash variables and removing some legacy code that didn't do anything (WRAPPER_PATH).

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nix-review --run "nix-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Assured whether relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@FRidh
Copy link
Member

FRidh commented Apr 27, 2019

@7c6f434c how do you handle this considering you don't run NixOS?

@7c6f434c
Copy link
Member

I have a similar local package in my system expression that uses the NixOS setuid wrapper source, takes a list of entries and produces a script to create/chown/chmod the wrappers. I do not default to setuid if nothing is specified.

… I also have exactly 4 setuid wrappers (FUSE2/FUSE3, su and unix_chkpwd), as most of the system requests are handled via a custom client-server protocol.

@infinisil
Copy link
Member Author

I'll just close this for now because I don't need this anymore and have no intention of testing it (even though the chance of it breaking anything is rather low). If somebody needs this, feel free to use the change is this PR, comment here or make a PR with this change.

@infinisil infinisil closed this Apr 30, 2019
@infinisil infinisil deleted the separate-security-wrappers branch April 30, 2019 22:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
6.topic: nixos 8.has: module (update) 10.rebuild-darwin: 0 10.rebuild-linux: 1-10
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@infinisil @FRidh @7c6f434c