Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

systemd user services shouldn't run as root and other "non-interactive" users #30712

Merged
merged 3 commits into from Aug 2, 2019
Merged

systemd user services shouldn't run as root and other "non-interactive" users #30712

merged 3 commits into from Aug 2, 2019

Conversation

peterhoeg
Copy link
Member

Motivation for this change

Previously, if root logged in to the console while services.kbfs.enable = true;, systemd would try to spawn the kbfs and keybase units which is probably not what we want.

Since systemd 234 we have been able to specify that a unit should only run for specific users or alternatively "not for system users" which is what this PR does.

As this is a change in existing behaviour, I thought it best to see if anybody would have any issues with this.

Cc: @carlsverre @np @rvolosatovs @bennofs @fpletz @NeQuissimus

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option build-use-sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Fits CONTRIBUTING.md.

@edolstra
Copy link
Member

It's debatable whether root should be a non-interactive user. For example, nixops ssh logs in as root by default.

@peterhoeg
Copy link
Member Author

peterhoeg commented Oct 23, 2017
edited

By "non-interactive" I meant "not a human doing general purpose stuff". I'm not sure if having ssh-agent running as root has its uses but keybase/kbfs definitely shouldn't be running.

In any case, this PR doesn't change anything about the definition of root - it only disables the 3 mentioned user units for root.

@rvolosatovs
Copy link
Member

I'd say this should be configurable.

@fpletz
Copy link
Member

fpletz commented Oct 23, 2017

There are even more user services where this change would be useful. For instance, btsync, gpg-agent and pulseaudio. Maybe we should give each user service an extra option to set for which users the service is started. On the other hand we do have ConditionUser which can be overridden in any NixOS config but this is an implementation detail.

For most user services I agree that it doesn't make much sense to run them as root or other non-interactive users. I think this should be the default for all our user services.

@peterhoeg
Copy link
Member Author

@edolstra - do you still have reservations about this PR?

@peterhoeg
Copy link
Member Author

@rvolosatovs you said:

I'd say this should be configurable

You're saying that we should be able to define per service if it should run for root as well or a global switch of some kind? Can you share some details on your specific use case?

@rvolosatovs
Copy link
Member

What I had in mind was having something like runAsRoot boolean option, or, even better, similar to what @fpletz proposed having something like a users option, where you could define the users to run the service for, or, other way round, having a services option in user definition, where the services, that should run would be cofigured.
Another idea was that maybe it could be abstracted somehow... like being able to specify non-interactive users, for whom "interactive" services would not get started.

By the way, shouldn't all systemd.user.services only run for non-root users anyway?

@peterhoeg
Copy link
Member Author

having something like a users option, where you could define the users to run the service for

That makes sense, but is really just the mechanics of it. What would be the use case for running syncthing or keybase as root?

By the way, shouldn't all systemd.user.services only run for non-root users anyway?

That's what I would say although services wantedBy = [ "graphical-session.target" ]; do not require handling as that target should never be started by root in the first place.

@mmahut
Copy link
Member

mmahut commented Aug 1, 2019

Any update on this pull request?

@peterhoeg
Copy link
Member Author

This is safe to merge - the 3 mentioned services should not run as root.

@peterhoeg peterhoeg merged commit f263956 into NixOS:master Aug 2, 2019
@peterhoeg peterhoeg deleted the f/service branch August 2, 2019 03:58
@peterhoeg peterhoeg restored the f/service branch August 2, 2019 11:20
@peterhoeg peterhoeg deleted the f/service branch August 5, 2019 08:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fpletz fpletz fpletz approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@peterhoeg @edolstra @rvolosatovs @fpletz @mmahut