From 049c0eb49c621ae50f49c8a06dc6c3a9839ef388 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Thu, 17 Jul 2014 16:57:07 +0200 Subject: nix-daemon: Add trusted-users and allowed-users options MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ‘trusted-users’ is a list of users and groups that have elevated rights, such as the ability to specify binary caches. It defaults to ‘root’. A typical value would be ‘@wheel’ to specify all users in the wheel group. ‘allowed-users’ is a list of users and groups that are allowed to connect to the daemon. It defaults to ‘*’. A typical value would be ‘@users’ to specify the ‘users’ group. --- src/nix-daemon/nix-daemon.cc | 38 +++++++++++++++++++++++++++++++++++--- 1 file changed, 35 insertions(+), 3 deletions(-) (limited to 'src/nix-daemon') diff --git a/src/nix-daemon/nix-daemon.cc b/src/nix-daemon/nix-daemon.cc index fd030fe47674..dde501d30990 100644 --- a/src/nix-daemon/nix-daemon.cc +++ b/src/nix-daemon/nix-daemon.cc @@ -7,6 +7,8 @@ #include "affinity.hh" #include "globals.hh" +#include + #include #include #include @@ -18,6 +20,7 @@ #include #include #include +#include using namespace nix; @@ -451,7 +454,7 @@ static void performOp(bool trusted, unsigned int clientVersion, case wopImportPaths: { startWork(); TunnelSource source(from); - Paths paths = store->importPaths(true, source); + Paths paths = store->importPaths(!trusted, source); stopWork(); writeStrings(paths, to); break; @@ -770,6 +773,27 @@ static void setSigChldAction(bool autoReap) } +bool matchUser(const string & user, const string & group, const Strings & users) +{ + if (find(users.begin(), users.end(), "*") != users.end()) + return true; + + if (find(users.begin(), users.end(), user) != users.end()) + return true; + + for (auto & i : users) + if (string(i, 0, 1) == "@") { + if (group == string(i, 1)) return true; + struct group * gr = getgrnam(i.c_str() + 1); + if (!gr) continue; + for (char * * mem = gr->gr_mem; *mem; mem++) + if (user == string(*mem)) return true; + } + + return false; +} + + #define SD_LISTEN_FDS_START 3 @@ -870,9 +894,17 @@ static void daemonLoop() struct passwd * pw = getpwuid(cred.uid); string user = pw ? pw->pw_name : int2String(cred.uid); - if (cred.uid == 0) trusted = true; + struct group * gr = getgrgid(cred.gid); + string group = gr ? gr->gr_name : int2String(cred.gid); + + if (matchUser(user, group, settings.trustedUsers)) + trusted = true; + + if (!trusted && !matchUser(user, group, settings.allowedUsers)) + throw Error(format("user `%1%' is not allowed to connect to the Nix daemon") % user); - printMsg(lvlInfo, format("accepted connection from pid %1%, user %2%") % clientPid % user); + printMsg(lvlInfo, format((string) "accepted connection from pid %1%, user %2%" + + (trusted ? " (trusted)" : "")) % clientPid % user); #endif /* Fork a child to handle the connection. */ -- cgit 1.4.1