nixos/nix
1
1
Fork 0
mirror of https://github.com/NixOS/nix.git synced 2025-11-12 21:46:01 +01:00
Code Activity

Merge pull request #5640 from obsidiansystems/daemon-auth-2.3

Browse source 
[backport 2.3] Separate auth and logic for the daemon
This commit is contained in:
John Ericson 2025-02-17 12:48:51 -05:00 committed by GitHub
commit 9cdaeba80e
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 22 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

30
src/nix-daemon/nix-daemon.cc
View file

@ -743,7 +743,11 @@ static void performOp(TunnelLogger * logger, ref<Store> store,
static void processConnection(bool trusted, static void processConnection(bool trusted,
const std::string & userName, uid_t userId) /* Arbitrary hook to check authorization / initialize user data / whatever
after the protocol has been negotiated. The idea is that this function
and everything it calls doesn't know about this stuff, and the
`nix-daemon` handles that instead. */
std::function<void(Store &)> authHook)
{ {
MonitorFdHup monitor(from.fd); MonitorFdHup monitor(from.fd);
@ -781,20 +785,13 @@ static void processConnection(bool trusted,
/* If we can't accept clientVersion, then throw an error /* If we can't accept clientVersion, then throw an error
*here* (not above). */ *here* (not above). */
#if 0
/* Prevent users from doing something very dangerous. */
if (geteuid() == 0 &&
querySetting("build-users-group", "") == "")
throw Error("if you run 'nix-daemon' as root, then you MUST set 'build-users-group'!");
#endif
/* Open the store. */ /* Open the store. */
Store::Params params; // FIXME: get params from somewhere Store::Params params; // FIXME: get params from somewhere
// Disable caching since the client already does that. // Disable caching since the client already does that.
params["path-info-cache-size"] = "0"; params["path-info-cache-size"] = "0";
auto store = openStore(settings.storeUri, params); auto store = openStore(settings.storeUri, params);
store->createUser(userName, userId); authHook(*store);
tunnelLogger->stopWork(); tunnelLogger->stopWork();
to.flush(); to.flush();
@ -1060,7 +1057,15 @@ static void daemonLoop(char * * argv)
/* Handle the connection. */ /* Handle the connection. */
from.fd = remote.get(); from.fd = remote.get();
to.fd = remote.get(); to.fd = remote.get();
processConnection(trusted, user, peer.uid); processConnection(trusted, [&](Store & store) {
#if 0
/* Prevent users from doing something very dangerous. */
if (geteuid() == 0 &&
querySetting("build-users-group", "") == "")
throw Error("if you run 'nix-daemon' as root, then you MUST set 'build-users-group'!");
#endif
store.createUser(user, peer.uid);
});
exit(0); exit(0);
}, options); }, options);
@ -1140,7 +1145,10 @@ static int _main(int argc, char * * argv)
} }
} }
} else { } else {
processConnection(true, "root", 0); /* Auth hook is empty because in this mode we blindly trust the
standard streams. Limitting access to thoses is explicitly
not `nix-daemon`'s responsibility. */
processConnection(true, [&](Store & _){});
} }
} else { } else {
daemonLoop(argv); daemonLoop(argv);

3
tests/remote-store.sh
View file

@ -2,6 +2,9 @@ source common.sh
clearStore clearStore
# Ensure "fake ssh" remote store works just as legacy fake ssh would.
nix --store ssh-ng://localhost?remote-store=$TEST_ROOT/other-store doctor
startDaemon startDaemon
storeCleared=1 NIX_REMOTE_=$NIX_REMOTE $SHELL ./user-envs.sh storeCleared=1 NIX_REMOTE_=$NIX_REMOTE $SHELL ./user-envs.sh