summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authortv <tv@krebsco.de>2016-02-14 13:26:37 +0100
committertv <tv@krebsco.de>2016-02-14 13:26:37 +0100
commite890eb244af82ba678e894a84983db5057fbb60a (patch)
treeb902427fc2651d134d7ba8daf0d38ff4a94a968b
parentc1a9a89c9a211b48bb04f1862a216bb5d444c3a2 (diff)
krebs.setuid: init
-rw-r--r--krebs/3modules/default.nix1
-rw-r--r--krebs/3modules/setuid.nix75
-rw-r--r--tv/2configs/xu-qemu0.nix44
3 files changed, 90 insertions, 30 deletions
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index 3d51076cf..b2a02e9c7 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -27,6 +27,7 @@ let
./retiolum-bootstrap.nix
./realwallpaper.nix
./retiolum.nix
+ ./setuid.nix
./tinc_graphs.nix
./urlwatch.nix
];
diff --git a/krebs/3modules/setuid.nix b/krebs/3modules/setuid.nix
new file mode 100644
index 000000000..22123c926
--- /dev/null
+++ b/krebs/3modules/setuid.nix
@@ -0,0 +1,75 @@
+{ config, pkgs, lib, ... }:
+with lib;
+let
+ cfg = config.krebs.setuid;
+
+ out = {
+ options.krebs.setuid = api;
+ config = imp;
+ };
+
+ api = mkOption {
+ default = {};
+ type = let
+ # TODO make wrapperDir configurable
+ inherit (config.security) wrapperDir;
+ inherit (config.users) groups users;
+ in types.attrsOf (types.submodule ({ config, ... }: {
+ options = {
+ name = mkOption {
+ type = types.filename;
+ default = config._module.args.name;
+ };
+ filename = mkOption {
+ type = mkOptionType {
+ # TODO unyuck string and merge with toC
+ name = "derivation or string";
+ check = x:
+ isDerivation x ||
+ isString x;
+ };
+ apply = toString;
+ };
+ owner = mkOption {
+ default = "root";
+ type = types.enum (attrNames users);
+ };
+ group = mkOption {
+ default = "root";
+ type = types.enum (attrNames groups);
+ };
+ mode = mkOption {
+ default = "4710";
+ type = mkOptionType {
+ # TODO admit symbolic mode
+ name = "octal mode";
+ check = x:
+ isString x &&
+ match "[0-7][0-7][0-7][0-7]" x != null;
+ };
+ };
+ activate = mkOption {
+ type = types.str;
+ visible = false;
+ readOnly = true;
+ };
+ };
+ config.activate = let
+ src = pkgs.execve config.name {
+ inherit (config) filename;
+ };
+ dst = "${wrapperDir}/${config.name}";
+ in ''
+ cp ${src} ${dst}
+ chown ${config.owner}.${config.group} ${dst}
+ chmod ${config.mode} ${dst}
+ '';
+ }));
+ };
+
+ imp = {
+ system.activationScripts."krebs.setuid" = stringAfter [ "setuid" ]
+ (concatMapStringsSep "\n" (getAttr "activate") (attrValues cfg));
+ };
+
+in out
diff --git a/tv/2configs/xu-qemu0.nix b/tv/2configs/xu-qemu0.nix
index 9962ca56a..df35f5c3f 100644
--- a/tv/2configs/xu-qemu0.nix
+++ b/tv/2configs/xu-qemu0.nix
@@ -79,7 +79,7 @@ with lib;
${pkgs.kvm}/bin/qemu-img create "$img" 10G
fi
exec ${pkgs.kvm}/bin/qemu-kvm \
- -monitor unix:$HOME/tmp/xu-qemu0.sock,server,nowait \
+ -monitor unix:$HOME/tmp/xu-qemu0-monitor.sock,server,nowait \
-boot order=cd \
-cdrom ${pkgs.fetchurl {
url = https://nixos.org/releases/nixos/15.09/nixos-15.09.1012.9fe0c23/nixos-minimal-15.09.1012.9fe0c23-x86_64-linux.iso;
@@ -95,36 +95,20 @@ with lib;
};
};
- system.activationScripts."krebs.setuid.xu-qemu0-monitor" = stringAfter [ "setuid" ] ''
- src=${pkgs.execve "xu-qemu0-monitor" {
- # TODO toC should handle derivation, then we don't have to "${...}" here
- filename = "${pkgs.writeDash "xu-qemu0-monitor" ''
- exec ${pkgs.socat}/bin/socat \
- stdio \
- UNIX-CONNECT:${config.users.users.xu-qemu0.home}/tmp/xu-qemu0.sock \
- ''}";
- }}
- dst=${config.security.wrapperDir}/xu-qemu0-monitor
- cp "$src" "$dst"
- chown xu-qemu0.tv "$dst"
- chmod 4710 "$dst"
- '';
+ krebs.setuid.xu-qemu0-monitor = {
+ filename = pkgs.writeDash "xu-qemu0-monitor" ''
+ exec ${pkgs.socat}/bin/socat \
+ stdio \
+ UNIX-CONNECT:${config.users.users.xu-qemu0.home}/tmp/xu-qemu0-monitor.sock \
+ '';
+ owner = "xu-qemu0";
+ group = "tv";
+ };
- #TODO krebs.setuid.qemu-bridge-helper = {
- # filename = "${pkgs.qemu}/libexec/qemu-bridge-helper";
- # owner = "root";
- # group = "qemu-users";
- # mode = "4710";
- #};
- system.activationScripts."krebs.setuid" = stringAfter [ "setuid" ] ''
- src=${pkgs.execve "qemu-bridge-helper" {
- filename = "${pkgs.qemu}/libexec/qemu-bridge-helper";
- }}
- dst=${config.security.wrapperDir}/qemu-bridge-helper
- cp "$src" "$dst"
- chown root.qemu-users "$dst"
- chmod 4710 "$dst"
- '';
+ krebs.setuid.qemu-bridge-helper = {
+ filename = "${pkgs.qemu}/libexec/qemu-bridge-helper";
+ group = "qemu-users";
+ };
users.users.qemu-dnsmasq.uid = genid "qemu-dnsmasq";