nixos/nix-serve: don't run as nogroup

nogroup is insecure if shared
This commit is contained in:
Jörg Thalheim 2020-12-12 09:29:40 +01:00
parent 2489eb5e45
commit ac7b8724b5
5 changed files with 36 additions and 9 deletions

View file

@ -229,7 +229,7 @@ in
grafana = 196;
skydns = 197;
# ripple-rest = 198; # unused, removed 2017-08-12
nix-serve = 199;
# nix-serve = 199; # unused, removed 2020-12-12
tvheadend = 200;
uwsgi = 201;
gitit = 202;

View file

@ -69,13 +69,9 @@ in
ExecStart = "${pkgs.nix-serve}/bin/nix-serve " +
"--listen ${cfg.bindAddress}:${toString cfg.port} ${cfg.extraParams}";
User = "nix-serve";
Group = "nogroup";
Group = "nix-serve";
DynamicUser = true;
};
};
users.users.nix-serve = {
description = "Nix-serve user";
uid = config.ids.uids.nix-serve;
};
};
}

View file

@ -295,6 +295,7 @@ in
nginx-sandbox = handleTestOn ["x86_64-linux"] ./nginx-sandbox.nix {};
nginx-sso = handleTest ./nginx-sso.nix {};
nginx-variants = handleTest ./nginx-variants.nix {};
nix-serve = handleTest ./nix-ssh-serve.nix {};
nix-ssh-serve = handleTest ./nix-ssh-serve.nix {};
nixos-generate-config = handleTest ./nixos-generate-config.nix {};
nomad = handleTest ./nomad.nix {};

22
nixos/tests/nix-serve.nix Normal file
View file

@ -0,0 +1,22 @@
import ./make-test-python.nix ({ pkgs, ... }:
{
name = "nix-serve";
machine = { pkgs, ... }: {
services.nix-serve.enable = true;
environment.systemPackages = [
pkgs.hello
];
};
testScript = let
pkgHash = builtins.head (
builtins.match "${builtins.storeDir}/([^-]+).+" (toString pkgs.hello)
);
in ''
start_all()
machine.wait_for_unit("nix-serve.service")
machine.wait_for_open_port(5000)
machine.succeed(
"curl --fail -g http://0.0.0.0:5000/nar/${pkgHash}.nar -o /tmp/hello.nar"
)
'';
})

View file

@ -1,5 +1,11 @@
{ lib, stdenv, fetchFromGitHub,
bzip2, nix, perl, makeWrapper,
{ lib
, stdenv
, fetchFromGitHub
, bzip2
, nix
, perl
, makeWrapper
, nixosTests
}:
with lib;
@ -30,6 +36,8 @@ stdenv.mkDerivation {
--add-flags $out/libexec/nix-serve/nix-serve.psgi
'';
passthru.tests.nix-serve = nixosTests.nix-serve;
meta = {
homepage = "https://github.com/edolstra/nix-serve";
description = "A utility for sharing a Nix store as a binary cache";