felixalb/pvv-nixos-config
1
0
Fork 0
mirror of https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git synced 2026-05-31 02:11:13 +02:00
Code Issues Projects Releases Wiki Activity

fixup! WIP: temmie/userweb: inject users from passwd into httpd sandbox

Browse Source
This commit is contained in:
h7x4
2026-05-30 20:08:24 +09:00
parent 630cbe2e78
commit e56000940a
1 changed files with 40 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

49
hosts/temmie/services/userweb/default.nix
View File

@@ -130,6 +130,9 @@ let
file file
findutils findutils
gawk gawk
glibc.getent
strace
systemd
gnugrep gnugrep
gnumake gnumake
gnupg gnupg
@@ -284,7 +287,7 @@ in
ExecStartPre = let ExecStartPre = let
rsyncCommand = ''${lib.getExe pkgs.rsync} -e "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=%d/ssh-known-hosts -i %d/sshkey" -avz''; rsyncCommand = ''${lib.getExe pkgs.rsync} -e "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=%d/ssh-known-hosts -i %d/sshkey" -avz'';
in lib.mkForce [ in lib.mkForce [
(lib.getExe (pkgs.writeShellApplication { "${lib.getExe (pkgs.writeShellApplication {
name = "http-exec-start-pre-remove-old-semaphores"; name = "http-exec-start-pre-remove-old-semaphores";
text = '' text = ''
# Get rid of old semaphores. These tend to accumulate across # Get rid of old semaphores. These tend to accumulate across
@@ -294,14 +297,20 @@ in
${pkgs.util-linux}/bin/ipcrm -s "$i" ${pkgs.util-linux}/bin/ipcrm -s "$i"
done done
''; '';
})) })}"
# "${pkgs.systemd}/bin/resolvectl query smtp.pvv.ntnu.no"
"${pkgs.strace}/bin/strace ${pkgs.glibc.getent}/bin/getent ahosts smtp.pvv.ntnu.no"
"${rsyncCommand} pvv@smtp.pvv.ntnu.no:/etc/passwd /run/httpd/pamunix-sync/" "${rsyncCommand} pvv@smtp.pvv.ntnu.no:/etc/passwd /run/httpd/pamunix-sync/"
"${rsyncCommand} pvv@smtp.pvv.ntnu.no:/etc/group /run/httpd/pamunix-sync/" "${rsyncCommand} pvv@smtp.pvv.ntnu.no:/etc/group /run/httpd/pamunix-sync/"
# "+|echo 'wwwrun:x:54:54:Apache httpd user:/var/empty:/run/current-system/sw/bin/nologin' >> /run/httpd/pamunix-sync/passwd"
# "+|echo 'root:x:0:0:System administrator:/root:/run/current-system/sw/bin/bash' >> /run/httpd/pamunix-sync/passwd"
# "+|echo 'wwwrun:x:54:' >> /run/httpd/pamunix-sync/group"
# "${rsyncCommand} pvv@smtp.pvv.ntnu.no:/etc/shadow /run/httpd/pamunix-sync/" # "${rsyncCommand} pvv@smtp.pvv.ntnu.no:/etc/shadow /run/httpd/pamunix-sync/"
(let (let
args = lib.cli.toCommandLineShellGNU { } { args = lib.cli.toCommandLineShellGNU { } {
passwd-file = "/run/httpd/pamunix-sync/passwd"; passwd-file = "/run/httpd/pamunix-sync/passwd";
group-file = "/run/httpd/pamunix-sync/group"; group-file = "/run/httpd/pamunix-sync/group";
output-dir = "/run/httpd/systemd-userdb";
shadow-file = pkgs.emptyFile; shadow-file = pkgs.emptyFile;
email-domain = "pvv.ntnu.no"; email-domain = "pvv.ntnu.no";
ignore-user-file = toString ./ignore_user_file.txt; ignore-user-file = toString ./ignore_user_file.txt;
@@ -312,7 +321,7 @@ in
set-default-mount-no-execute = "false"; set-default-mount-no-execute = "false";
}; };
in ''${lib.getExe pkgs.passwd2systemd-users} ${args}'') in ''${lib.getExe pkgs.passwd2systemd-users} ${args}'')
"${lib.getExe' pkgs.coreutils "shred"} /run/httpd/pamunix-sync/passwd /run/httpd/pamunix-sync/group" "${lib.getExe' pkgs.coreutils "shred"} -u /run/httpd/pamunix-sync/passwd /run/httpd/pamunix-sync/group"
]; ];
ExecStart = lib.mkForce "${cfg.package}/bin/httpd -D FOREGROUND -f /etc/httpd/httpd.conf -k start"; ExecStart = lib.mkForce "${cfg.package}/bin/httpd -D FOREGROUND -f /etc/httpd/httpd.conf -k start";
ExecReload = lib.mkForce "${cfg.package}/bin/httpd -f /etc/httpd/httpd.conf -k graceful"; ExecReload = lib.mkForce "${cfg.package}/bin/httpd -f /etc/httpd/httpd.conf -k graceful";
@@ -328,8 +337,9 @@ in
LogsDirectory = [ "httpd" ]; LogsDirectory = [ "httpd" ];
LogsDirectoryMode = "0700"; LogsDirectoryMode = "0700";
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ]; AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_PTRACE" ];
LockPersonality = true; CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_PTRACE" ];
# LockPersonality = true;
PrivateDevices = true; PrivateDevices = true;
PrivateTmp = true; PrivateTmp = true;
# NOTE: this removes CAP_NET_BIND_SERVICE... # NOTE: this removes CAP_NET_BIND_SERVICE...
@@ -356,9 +366,9 @@ in
"tcp:443" "tcp:443"
]; ];
SystemCallArchitectures = "native"; SystemCallArchitectures = "native";
SystemCallFilter = [ # SystemCallFilter = [
"@system-service" # "@system-service"
]; # ];
UMask = "0077"; UMask = "0077";
RuntimeDirectory = [ RuntimeDirectory = [
@@ -371,9 +381,30 @@ in
BindReadOnlyPaths = [ BindReadOnlyPaths = [
builtins.storeDir builtins.storeDir
"/etc" "/etc"
"/dev/null"
# NCSD socket # NCSD socket
"/var/run" # "/var/run"
# "/var/run/systemd/resolve"
"/etc/resolv.conf"
"/var/lib/acme" "/var/lib/acme"
"/run/httpd/systemd-userdb:/etc/userdb"
"${pkgs.writeText "userweb-fake-nsswitch.conf" ''
passwd: systemd files
group: systemd files
shadow: systemd files
sudoers: files
hosts: mymachines resolve [!UNAVAIL=return] files myhostname dns
networks: files
ethers: files
services: files
protocols: files
rpc: files
subuid: files
subgid: files
''}:/etc/nsswitch.conf"
"${fhsEnv}/bin:/bin" "${fhsEnv}/bin:/bin"
"${fhsEnv}/sbin:/sbin" "${fhsEnv}/sbin:/sbin"