Skip to content

nixos/dhcpcd: harden and run as unprivileged user#276919

Closed
rnhmjoj wants to merge 62 commits intoNixOS:stagingfrom
rnhmjoj:pr-dhcpcd-root
Closed

nixos/dhcpcd: harden and run as unprivileged user#276919
rnhmjoj wants to merge 62 commits intoNixOS:stagingfrom
rnhmjoj:pr-dhcpcd-root

Conversation

@rnhmjoj
Copy link
Contributor

@rnhmjoj rnhmjoj commented Dec 26, 2023

Description of changes

These changes replace the dhcpcd privsep mode with a combination of POSIX capabilities and systemd security features that allow to fully run dhcpcd as an unprivileged user. See the commit messages for why I think this is an improvement.

There are a couple of backward incompatibilities, but most users shouldn't notice any difference.

Things done

  • Tested via dhcpcd.tests
  • 24.05 Release Notes
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

@rnhmjoj rnhmjoj requested a review from joachifm as a code owner December 26, 2023 13:37
@github-actions github-actions bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: documentation This PR adds or changes documentation 8.has: changelog This PR adds or changes release notes 8.has: module (update) This PR changes an existing module in `nixos/` labels Dec 26, 2023
@ofborg ofborg bot added the 2.status: merge conflict This PR has merge conflicts with the target branch label Dec 26, 2023
@bjornfor
Copy link
Contributor

bjornfor commented Dec 26, 2023

nixos/dhcpcd: harden and run as unprivileged user

Did you consider/try with DynamicUser?

@rnhmjoj
Copy link
Contributor Author

rnhmjoj commented Dec 26, 2023

Did you consider/try with DynamicUser?

No, but I think it should work alright: there isn't too much state being handled (just a couple of files per interface + one for each wireless network) and no other user in the dhcpcd group.

@rnhmjoj rnhmjoj force-pushed the pr-dhcpcd-root branch 2 times, most recently from 23390a4 to 4ce16de Compare January 3, 2024 18:24
@rnhmjoj
Copy link
Contributor Author

rnhmjoj commented Jan 3, 2024

@bjornfor I switched to DynamicUser.

@ofborg ofborg bot removed the 2.status: merge conflict This PR has merge conflicts with the target branch label Jan 3, 2024
@ofborg ofborg bot requested a review from edolstra January 3, 2024 21:00
@ofborg ofborg bot added 10.rebuild-darwin: 11-100 This PR causes between 11 and 100 packages to rebuild on Darwin. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 1001-2500 This PR causes many rebuilds on Linux and should target the staging branches. labels Jan 3, 2024
@rnhmjoj rnhmjoj changed the base branch from master to staging January 4, 2024 09:22
bjornfor
bjornfor reviewed Jan 4, 2024
View reviewed changes
bjornfor
bjornfor reviewed Jan 4, 2024
View reviewed changes
bjornfor
bjornfor reviewed Jan 4, 2024
View reviewed changes
@rnhmjoj rnhmjoj force-pushed the pr-dhcpcd-root branch 4 times, most recently from 18000d1 to 32f3e4e Compare January 10, 2024 00:13
@ofborg ofborg bot added the 2.status: merge conflict This PR has merge conflicts with the target branch label Jan 10, 2024
@ofborg ofborg bot removed the 2.status: merge conflict This PR has merge conflicts with the target branch label Jan 10, 2024
OPNA2608 and others added 10 commits August 24, 2024 11:12
@OPNA2608
Merge pull request NixOS#334952 from OPNA2608/fix/ayatana-lomiri-indi…
eb76459 
…cator-marking

nixos/ayatana-indicators: Split ayatana and lomiri indicators
@PerchunPak @teto
vimPlugins.peskcolor-vim: remove
f000d70 
Upstream went missing
@jnsgruk
Merge pull request NixOS#336973 from jnsgruk/pytouchlinesl
bc74f40
@rnhmjoj
nixos/resolvconf: add a resolvconf group
d9d828b 
This group is useful to allow specific users to run resolvconf and
(and this modify /etc/resolv.conf) without root privileges.
@rnhmjoj
dhcpcd: disable privsep by default
aa64e2d 
The priviledge separation mode has several downsides:

  - it's incompatible with alternative memory allocators, including
    graphene-hardened;

  - it needs an unreleased patch to fix a crash;

  - it results in none less than 6 subprocesses running at any time,
    increasing the memory usage;

  - the privileged process (albeit not doing any networking related
    tasks) is still running as root, so it has complete access to the
    system.

Let's disable this by default and instead run dhcpcd as an unpriviledge
user with only the necessary capabilities.
@rnhmjoj
nixos/dhcpcd: remove ntpd workaround
5e51ad5 
This workaround for NTP daemons has been there for 12 years and is most
likely not needed anymore.
@rnhmjoj
nixos/tests/networking: test nameservers via DHCP
c079502
@rnhmjoj
nixos/dhcpcd: harden and run as unprivileged user
e3ca5bc
@rnhmjoj
dhcpcd: move database to /var/lib
ae9b020
@rnhmjoj
nixos/release-notes: mention dhcpcd changes
13f72bb
@github-actions github-actions bot added 6.topic: python Python is a high-level, general-purpose programming language. 6.topic: vim Advanced text editor 6.topic: nodejs Node.js is a free, open-source, cross-platform JavaScript runtime environment 6.topic: php PHP is a general-purpose scripting language geared towards web development. labels Aug 24, 2024
@rnhmjoj rnhmjoj closed this Aug 24, 2024
@ofborg ofborg bot added 8.has: clean-up This PR removes packages or removes other cruft 10.rebuild-darwin: 101-500 This PR causes between 101 and 500 packages to rebuild on Darwin. 10.rebuild-linux: 101-500 This PR causes between 101 and 500 packages to rebuild on Linux. and removed 2.status: merge conflict This PR has merge conflicts with the target branch 10.rebuild-darwin: 11-100 This PR causes between 11 and 100 packages to rebuild on Darwin. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 1001-2500 This PR causes many rebuilds on Linux and should target the staging branches. labels Aug 24, 2024
@rnhmjoj rnhmjoj mentioned this pull request Oct 8, 2024
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bjornfor bjornfor bjornfor left review comments

@joachifm joachifm Awaiting requested review from joachifm

@edolstra edolstra Awaiting requested review from edolstra

@aanderse aanderse Awaiting requested review from aanderse

@drupol drupol Awaiting requested review from drupol

@globin globin Awaiting requested review from globin

@Ma27 Ma27 Awaiting requested review from Ma27

@talyz talyz Awaiting requested review from talyz

@figsoda figsoda Awaiting requested review from figsoda

+1 more reviewer

@Janik-Haag Janik-Haag Janik-Haag left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 6.topic: nodejs Node.js is a free, open-source, cross-platform JavaScript runtime environment 6.topic: php PHP is a general-purpose scripting language geared towards web development. 6.topic: python Python is a high-level, general-purpose programming language. 6.topic: vim Advanced text editor 8.has: changelog This PR adds or changes release notes 8.has: clean-up This PR removes packages or removes other cruft 8.has: documentation This PR adds or changes documentation 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 101-500 This PR causes between 101 and 500 packages to rebuild on Darwin. 10.rebuild-linux: 101-500 This PR causes between 101 and 500 packages to rebuild on Linux.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.