Skip to content

[backport 2.3] Separate auth and logic for the daemon #5640

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Ericson2314 merged 1 commit into from
Feb 17, 2025
Merged

[backport 2.3] Separate auth and logic for the daemon #5640

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 19 additions & 11 deletions src/nix-daemon/nix-daemon.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -743,7 +743,11 @@ static void performOp(TunnelLogger * logger, ref<Store> store,


static void processConnection(bool trusted,
const std::string & userName, uid_t userId)
/* Arbitrary hook to check authorization / initialize user data / whatever
after the protocol has been negotiated. The idea is that this function
and everything it calls doesn't know about this stuff, and the
`nix-daemon` handles that instead. */
std::function<void(Store &)> authHook)
{
MonitorFdHup monitor(from.fd);

Expand Down Expand Up @@ -781,20 +785,13 @@ static void processConnection(bool trusted,
/* If we can't accept clientVersion, then throw an error
*here* (not above). */

#if 0
/* Prevent users from doing something very dangerous. */
if (geteuid() == 0 &&
querySetting("build-users-group", "") == "")
throw Error("if you run 'nix-daemon' as root, then you MUST set 'build-users-group'!");
#endif

/* Open the store. */
Store::Params params; // FIXME: get params from somewhere
// Disable caching since the client already does that.
params["path-info-cache-size"] = "0";
auto store = openStore(settings.storeUri, params);

store->createUser(userName, userId);
authHook(*store);

tunnelLogger->stopWork();
to.flush();
Expand Down Expand Up @@ -1060,7 +1057,15 @@ static void daemonLoop(char * * argv)
/* Handle the connection. */
from.fd = remote.get();
to.fd = remote.get();
processConnection(trusted, user, peer.uid);
processConnection(trusted, [&](Store & store) {
#if 0
/* Prevent users from doing something very dangerous. */
if (geteuid() == 0 &&
querySetting("build-users-group", "") == "")
throw Error("if you run 'nix-daemon' as root, then you MUST set 'build-users-group'!");
#endif
store.createUser(user, peer.uid);
});

exit(0);
}, options);
Expand Down Expand Up @@ -1140,7 +1145,10 @@ static int _main(int argc, char * * argv)
}
}
} else {
processConnection(true, "root", 0);
/* Auth hook is empty because in this mode we blindly trust the
standard streams. Limitting access to thoses is explicitly
not `nix-daemon`'s responsibility. */
processConnection(true, [&](Store & _){});
}
} else {
daemonLoop(argv);
Expand Down
3 changes: 3 additions & 0 deletions tests/remote-store.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,9 @@ source common.sh

clearStore

# Ensure "fake ssh" remote store works just as legacy fake ssh would.
nix --store ssh-ng://localhost?remote-store=$TEST_ROOT/other-store doctor

startDaemon

storeCleared=1 NIX_REMOTE_=$NIX_REMOTE $SHELL ./user-envs.sh
Expand Down
Loading