Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nixos/znc: harden systemd unit #122241

Merged
merged 3 commits into from
May 18, 2021
Merged

nixos/znc: harden systemd unit #122241

merged 3 commits into from
May 18, 2021

Conversation

dotlambda
Copy link
Member

Motivation for this change
Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@dotlambda dotlambda requested a review from infinisil May 8, 2021 20:51
@github-actions github-actions bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` labels May 8, 2021
dotlambda
dotlambda commented May 8, 2021
View reviewed changes
nixos/modules/services/networking/znc/default.nix
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ];
UMask = "0027";
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think znc creates files with umask 0077 by default, so maybe we should set the same? I don't understand why people do that: It's useful to have a way to give a process (e.g. a backup program) just read access by using the group.

@ofborg ofborg bot added 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 1-10 10.rebuild-linux: 1 labels May 8, 2021
@dotlambda dotlambda requested a review from mweinelt May 10, 2021 12:14
@dotlambda dotlambda mentioned this pull request May 12, 2021
Closed
@dotlambda dotlambda added this to the 21.05 milestone May 16, 2021
@dotlambda dotlambda merged commit d189df2 into NixOS:master May 18, 2021
@dotlambda dotlambda deleted the znc-harden branch May 18, 2021 15:44
@eyJhb
Copy link
Member

eyJhb commented May 21, 2021

Quite sure this breaks using chown on ie. https://github.com/NixOS/nixpkgs/blob/nixos-unstable/nixos/modules/services/networking/znc/default.nix#L276

Currently getting

May 21 11:23:54 tutti znc-pre-start[1674]: znc is set to be system-managed. Now deleting old znc.conf file to be regenerated.
May 21 11:23:54 tutti znc-pre-start[1674]: No znc.conf file found in /var/lib/znc. Creating one now.
May 21 11:23:54 tutti systemd-coredump[1682]: Process 1680 (chown) of user 128 dumped core.
May 21 11:23:54 tutti znc-pre-start[1674]: /nix/store/l9aigmli01ydzd8cf93mls41hmh2bgkj-unit-script-znc-pre-start/bin/znc-pre-start: line 15:  1680 Bad system call         (core dumped) chown znc /var/lib/znc/configs/znc.conf

@eyJhb eyJhb mentioned this pull request May 21, 2021
Merged
9 tasks
winterqt
winterqt reviewed Dec 6, 2023
View reviewed changes
nixos/modules/services/networking/znc/default.nix
ProtectSystem = "strict";
ReadWritePaths = [ cfg.dataDir ];
RemoveIPC = true;
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
Copy link
Member

@winterqt winterqt Dec 6, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I haven't gotten to the entire "why" of the issue yet (see below), but this needs to include AF_UNIX in order for ZNC to make host lookups, because of nscd.

Is anyone running this in a default configuration who doesn't have DNS lookup issues? I'm not sure why I'd be running into issues and nobody else is, I don't have an abnormal nsswitch configuration or anything...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@winterqt winterqt winterqt left review comments

@infinisil infinisil Awaiting requested review from infinisil

@mweinelt mweinelt Awaiting requested review from mweinelt

Assignees
No one assigned
Labels
6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 1-10 10.rebuild-linux: 1
Projects
None yet
Milestone
21.05
Development

Successfully merging this pull request may close these issues.
3 participants
@dotlambda @eyJhb @winterqt