From 91a7f33b640183c6e665932ad14ff5b9972226f8 Mon Sep 17 00:00:00 2001 From: Izorkin Date: Tue, 14 Apr 2020 14:04:04 +0300 Subject: [PATCH 1/7] nixos/unit: fix starting service --- nixos/modules/services/web-servers/unit/default.nix | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/nixos/modules/services/web-servers/unit/default.nix b/nixos/modules/services/web-servers/unit/default.nix index f8a18954fc9..9620d2b67b2 100644 --- a/nixos/modules/services/web-servers/unit/default.nix +++ b/nixos/modules/services/web-servers/unit/default.nix @@ -91,19 +91,23 @@ in { description = "Unit App Server"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; - path = with pkgs; [ curl ]; preStart = '' - test -f '${cfg.stateDir}/conf.json' || rm -f '${cfg.stateDir}/conf.json' + [ ! -e '${cfg.stateDir}/conf.json' ] || rm -f '${cfg.stateDir}/conf.json' ''; postStart = '' - curl -X PUT --data-binary '@${configFile}' --unix-socket '/run/unit/control.unit.sock' 'http://localhost/config' + ${pkgs.curl}/bin/curl -X PUT --data-binary '@${configFile}' --unix-socket '/run/unit/control.unit.sock' 'http://localhost/config' ''; serviceConfig = { + Type = "forking"; + PIDFile = "/run/unit/unit.pid"; ExecStart = '' ${cfg.package}/bin/unitd --control 'unix:/run/unit/control.unit.sock' --pid '/run/unit/unit.pid' \ - --log '${cfg.logDir}/unit.log' --state '${cfg.stateDir}' --no-daemon \ + --log '${cfg.logDir}/unit.log' --state '${cfg.stateDir}' \ --user ${cfg.user} --group ${cfg.group} ''; + ExecStop = '' + ${pkgs.curl}/bin/curl -X DELETE --unix-socket '/run/unit/control.unit.sock' 'http://localhost/config' + ''; # User and group User = cfg.user; Group = cfg.group; From 3eb6012b64bc8ef243168ea8edce6c417cb8ad03 Mon Sep 17 00:00:00 2001 From: Izorkin Date: Tue, 14 Apr 2020 16:07:30 +0300 Subject: [PATCH 2/7] nixos/unit: update sandboxing mode --- nixos/modules/services/web-servers/unit/default.nix | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/nixos/modules/services/web-servers/unit/default.nix b/nixos/modules/services/web-servers/unit/default.nix index 9620d2b67b2..59f03c923e6 100644 --- a/nixos/modules/services/web-servers/unit/default.nix +++ b/nixos/modules/services/web-servers/unit/default.nix @@ -113,23 +113,30 @@ in { Group = cfg.group; # Capabilities AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_SETGID" "CAP_SETUID" ]; + # Runtime directory and mode + RuntimeDirectory = "unit"; + RuntimeDirectoryMode = "0750"; + # Access write directories + ReadWritePaths = [ cfg.stateDir cfg.logDir ]; # Security NoNewPrivileges = true; # Sandboxing - ProtectSystem = "full"; + ProtectSystem = "strict"; ProtectHome = true; - RuntimeDirectory = "unit"; - RuntimeDirectoryMode = "0750"; PrivateTmp = true; PrivateDevices = true; ProtectHostname = true; ProtectKernelTunables = true; ProtectKernelModules = true; ProtectControlGroups = true; + RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; LockPersonality = true; MemoryDenyWriteExecute = true; RestrictRealtime = true; + RestrictSUIDSGID = true; PrivateMounts = true; + # System Call Filtering + SystemCallArchitectures = "native"; }; }; From cfad151ac56248dd6b74c298a4f864546ac78a3e Mon Sep 17 00:00:00 2001 From: Izorkin Date: Tue, 14 Apr 2020 23:33:33 +0300 Subject: [PATCH 3/7] nixos/unit: run Unit as root In latest release recommended not set ambient capabilities. --- nixos/modules/services/web-servers/unit/default.nix | 5 ----- 1 file changed, 5 deletions(-) diff --git a/nixos/modules/services/web-servers/unit/default.nix b/nixos/modules/services/web-servers/unit/default.nix index 59f03c923e6..989866144e1 100644 --- a/nixos/modules/services/web-servers/unit/default.nix +++ b/nixos/modules/services/web-servers/unit/default.nix @@ -108,11 +108,6 @@ in { ExecStop = '' ${pkgs.curl}/bin/curl -X DELETE --unix-socket '/run/unit/control.unit.sock' 'http://localhost/config' ''; - # User and group - User = cfg.user; - Group = cfg.group; - # Capabilities - AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_SETGID" "CAP_SETUID" ]; # Runtime directory and mode RuntimeDirectory = "unit"; RuntimeDirectoryMode = "0750"; From f87bc139309991449031678217ab472810dcaa93 Mon Sep 17 00:00:00 2001 From: Izorkin Date: Wed, 15 Apr 2020 08:48:09 +0300 Subject: [PATCH 4/7] unit: remove drop capabilites patch --- pkgs/servers/http/unit/default.nix | 5 -- pkgs/servers/http/unit/drop_cap.patch | 79 --------------------------- 2 files changed, 84 deletions(-) delete mode 100644 pkgs/servers/http/unit/drop_cap.patch diff --git a/pkgs/servers/http/unit/default.nix b/pkgs/servers/http/unit/default.nix index 0779a31f106..f90395b3cec 100644 --- a/pkgs/servers/http/unit/default.nix +++ b/pkgs/servers/http/unit/default.nix @@ -39,11 +39,6 @@ in stdenv.mkDerivation rec { sha256 = "19gclqhwccpi7y4386ap33ycwhylv4s4kwfc6ik8scmc4pw3sj9l"; }; - patches = [ - # https://github.com/nginx/unit/issues/357 - ./drop_cap.patch - ]; - nativeBuildInputs = [ which ]; buildInputs = [ ] diff --git a/pkgs/servers/http/unit/drop_cap.patch b/pkgs/servers/http/unit/drop_cap.patch deleted file mode 100644 index 87caf77904e..00000000000 --- a/pkgs/servers/http/unit/drop_cap.patch +++ /dev/null @@ -1,79 +0,0 @@ -diff -r ed17ce89119f src/nxt_capability.c ---- a/src/nxt_capability.c Fri Dec 06 17:02:23 2019 +0000 -+++ b/src/nxt_capability.c Mon Dec 09 23:23:00 2019 +0000 -@@ -93,6 +93,26 @@ nxt_capability_specific_set(nxt_task_t * - return NXT_OK; - } - -+ -+nxt_int_t -+nxt_capability_drop_all(nxt_task_t *task) -+{ -+ struct __user_cap_header_struct hdr; -+ struct __user_cap_data_struct data[2]; -+ -+ hdr.version = nxt_capability_linux_get_version(); -+ hdr.pid = nxt_pid; -+ -+ nxt_memset(data, 0, sizeof(data)); -+ -+ if (nxt_slow_path(nxt_capset(&hdr, data) == -1)) { -+ nxt_alert(task, "failed to drop capabilities %E", nxt_errno); -+ return NXT_ERROR; -+ } -+ -+ return NXT_OK; -+} -+ - #else - - static nxt_int_t -diff -r ed17ce89119f src/nxt_capability.h ---- a/src/nxt_capability.h Fri Dec 06 17:02:23 2019 +0000 -+++ b/src/nxt_capability.h Mon Dec 09 23:23:00 2019 +0000 -@@ -14,4 +14,6 @@ typedef struct { - NXT_EXPORT nxt_int_t nxt_capability_set(nxt_task_t *task, - nxt_capabilities_t *cap); - -+NXT_EXPORT nxt_int_t nxt_capability_drop_all(nxt_task_t *task); -+ - #endif /* _NXT_CAPABILITY_INCLUDED_ */ -diff -r ed17ce89119f src/nxt_process.c ---- a/src/nxt_process.c Fri Dec 06 17:02:23 2019 +0000 -+++ b/src/nxt_process.c Mon Dec 09 23:23:00 2019 +0000 -@@ -264,7 +264,7 @@ cleanup: - static void - nxt_process_start(nxt_task_t *task, nxt_process_t *process) - { -- nxt_int_t ret, cap_setid; -+ nxt_int_t ret, cap_setid, drop_caps; - nxt_port_t *port, *main_port; - nxt_thread_t *thread; - nxt_runtime_t *rt; -@@ -285,9 +285,12 @@ nxt_process_start(nxt_task_t *task, nxt_ - - cap_setid = rt->capabilities.setid; - -+ drop_caps = cap_setid; -+ - #if (NXT_HAVE_CLONE_NEWUSER) -- if (!cap_setid && NXT_CLONE_USER(init->isolation.clone.flags)) { -+ if (NXT_CLONE_USER(init->isolation.clone.flags)) { - cap_setid = 1; -+ drop_caps = 0; - } - #endif - -@@ -301,6 +304,12 @@ nxt_process_start(nxt_task_t *task, nxt_ - if (nxt_slow_path(ret != NXT_OK)) { - goto fail; - } -+ -+#if (NXT_HAVE_LINUX_CAPABILITY) -+ if (drop_caps && nxt_capability_drop_all(task) != NXT_OK) { -+ goto fail; -+ } -+#endif - } - - rt->type = init->type; \ No newline at end of file From 866f6dd677ac8aa2c32f90d1b989a8444882dc9e Mon Sep 17 00:00:00 2001 From: Izorkin Date: Thu, 16 Apr 2020 22:52:16 +0300 Subject: [PATCH 5/7] unit: 1.16.0 -> 1.17.0 --- pkgs/servers/http/unit/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/servers/http/unit/default.nix b/pkgs/servers/http/unit/default.nix index f90395b3cec..950dd0c9b19 100644 --- a/pkgs/servers/http/unit/default.nix +++ b/pkgs/servers/http/unit/default.nix @@ -29,14 +29,14 @@ let php72-unit = php72.override phpConfig; php73-unit = php73.override phpConfig; in stdenv.mkDerivation rec { - version = "1.16.0"; + version = "1.17.0"; pname = "unit"; src = fetchFromGitHub { owner = "nginx"; repo = "unit"; rev = version; - sha256 = "19gclqhwccpi7y4386ap33ycwhylv4s4kwfc6ik8scmc4pw3sj9l"; + sha256 = "1q3659vw8rxv4fk7ljkjav8ga72sb3arljfxcqw8b080f9hvi7hh"; }; nativeBuildInputs = [ which ]; From dc0260f7dabf55814b1ca3c37a40ace237ad1fde Mon Sep 17 00:00:00 2001 From: Izorkin Date: Thu, 16 Apr 2020 22:54:57 +0300 Subject: [PATCH 6/7] unit: add php 7.4 --- pkgs/servers/http/unit/default.nix | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/pkgs/servers/http/unit/default.nix b/pkgs/servers/http/unit/default.nix index 950dd0c9b19..407882f176e 100644 --- a/pkgs/servers/http/unit/default.nix +++ b/pkgs/servers/http/unit/default.nix @@ -2,7 +2,8 @@ , withPython2 ? false, python2 , withPython3 ? true, python3, ncurses , withPHP72 ? false, php72 -, withPHP73 ? true, php73 +, withPHP73 ? false, php73 +, withPHP74 ? true, php74 , withPerl528 ? false, perl528 , withPerl530 ? true, perl530 , withPerldevel ? false, perldevel @@ -28,6 +29,8 @@ let php72-unit = php72.override phpConfig; php73-unit = php73.override phpConfig; + php74-unit = php74.override phpConfig; + in stdenv.mkDerivation rec { version = "1.17.0"; pname = "unit"; @@ -46,6 +49,7 @@ in stdenv.mkDerivation rec { ++ optionals withPython3 [ python3 ncurses ] ++ optional withPHP72 php72-unit ++ optional withPHP73 php73-unit + ++ optional withPHP73 php74-unit ++ optional withPerl528 perl528 ++ optional withPerl530 perl530 ++ optional withPerldevel perldevel @@ -68,6 +72,7 @@ in stdenv.mkDerivation rec { ${optionalString withPython3 "./configure python --module=python3 --config=${python3}/bin/python3-config --lib-path=${python3}/lib"} ${optionalString withPHP72 "./configure php --module=php72 --config=${php72-unit.unwrapped.dev}/bin/php-config --lib-path=${php72-unit}/lib"} ${optionalString withPHP73 "./configure php --module=php73 --config=${php73-unit.unwrapped.dev}/bin/php-config --lib-path=${php73-unit}/lib"} + ${optionalString withPHP74 "./configure php --module=php74 --config=${php74-unit.unwrapped.dev}/bin/php-config --lib-path=${php74-unit}/lib"} ${optionalString withPerl528 "./configure perl --module=perl528 --perl=${perl528}/bin/perl"} ${optionalString withPerl530 "./configure perl --module=perl530 --perl=${perl530}/bin/perl"} ${optionalString withPerldevel "./configure perl --module=perldev --perl=${perldevel}/bin/perl"} From ca2145bdfc83382ba7ec83a275734040a2a7fddc Mon Sep 17 00:00:00 2001 From: Izorkin Date: Thu, 16 Apr 2020 23:08:00 +0300 Subject: [PATCH 7/7] nixos/tests: add unit-php test --- nixos/tests/all-tests.nix | 1 + nixos/tests/web-servers/unit-php.nix | 47 ++++++++++++++++++++++++++++ pkgs/servers/http/unit/default.nix | 4 ++- 3 files changed, 51 insertions(+), 1 deletion(-) create mode 100644 nixos/tests/web-servers/unit-php.nix diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 46f552b26a4..d1b1acc292d 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -321,6 +321,7 @@ in trickster = handleTest ./trickster.nix {}; tuptime = handleTest ./tuptime.nix {}; udisks2 = handleTest ./udisks2.nix {}; + unit-php = handleTest ./web-servers/unit-php.nix {}; upnp = handleTest ./upnp.nix {}; uwsgi = handleTest ./uwsgi.nix {}; vault = handleTest ./vault.nix {}; diff --git a/nixos/tests/web-servers/unit-php.nix b/nixos/tests/web-servers/unit-php.nix new file mode 100644 index 00000000000..c6327a1f825 --- /dev/null +++ b/nixos/tests/web-servers/unit-php.nix @@ -0,0 +1,47 @@ +import ../make-test-python.nix ({pkgs, ...}: + let + testdir = pkgs.writeTextDir "www/info.php" "