public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #95444 from doronbehar/fix/mount+s

Browse Source 
nixos/wrappers: make mount have the +s bit.
This commit is contained in:
Florian Klink 2020-08-16 12:23:12 +02:00 committed by GitHub
commit 609eb86db7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 35 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
nixos/modules/security/wrappers/default.nix
View File

@ -160,8 +160,11 @@ in
config = { config = {
security.wrappers = { security.wrappers = {
# These are mount related wrappers that require the +s permission.
fusermount.source = "${pkgs.fuse}/bin/fusermount"; fusermount.source = "${pkgs.fuse}/bin/fusermount";
fusermount3.source = "${pkgs.fuse3}/bin/fusermount3"; fusermount3.source = "${pkgs.fuse3}/bin/fusermount3";
mount.source = "${lib.getBin pkgs.utillinux}/bin/mount";
umount.source = "${lib.getBin pkgs.utillinux}/bin/umount";
}; };
boot.specialFileSystems.${parentWrapperDir} = { boot.specialFileSystems.${parentWrapperDir} = {

32
nixos/tests/misc.nix
View File

@ -20,12 +20,24 @@ import ./make-test-python.nix ({ pkgs, ...} : rec {
{ fsType = "tmpfs"; { fsType = "tmpfs";
options = [ "mode=1777" "noauto" ]; options = [ "mode=1777" "noauto" ];
}; };
# Tests https://discourse.nixos.org/t/how-to-make-a-derivations-executables-have-the-s-permission/8555
"/user-mount/point" = {
device = "/user-mount/source";
fsType = "none";
options = [ "bind" "rw" "user" "noauto" ];
};
"/user-mount/denied-point" = {
device = "/user-mount/denied-source";
fsType = "none";
options = [ "bind" "rw" "noauto" ];
};
}; };
systemd.automounts = singleton systemd.automounts = singleton
{ wantedBy = [ "multi-user.target" ]; { wantedBy = [ "multi-user.target" ];
where = "/tmp2"; where = "/tmp2";
}; };
users.users.sybil = { isNormalUser = true; group = "wheel"; }; users.users.sybil = { isNormalUser = true; group = "wheel"; };
users.users.alice = { isNormalUser = true; };
security.sudo = { enable = true; wheelNeedsPassword = false; }; security.sudo = { enable = true; wheelNeedsPassword = false; };
boot.kernel.sysctl."vm.swappiness" = 1; boot.kernel.sysctl."vm.swappiness" = 1;
boot.kernelParams = [ "vsyscall=emulate" ]; boot.kernelParams = [ "vsyscall=emulate" ];
@ -112,6 +124,26 @@ import ./make-test-python.nix ({ pkgs, ...} : rec {
machine.succeed("touch /tmp2/x") machine.succeed("touch /tmp2/x")
machine.succeed("grep '/tmp2 tmpfs' /proc/mounts") machine.succeed("grep '/tmp2 tmpfs' /proc/mounts")
with subtest(
"Whether mounting by a user is possible with the `user` option in fstab (#95444)"
):
machine.succeed("mkdir -p /user-mount/source")
machine.succeed("touch /user-mount/source/file")
machine.succeed("chmod -R a+Xr /user-mount/source")
machine.succeed("mkdir /user-mount/point")
machine.succeed("chown alice:users /user-mount/point")
machine.succeed("su - alice -c 'mount /user-mount/point'")
machine.succeed("su - alice -c 'ls /user-mount/point/file'")
with subtest(
"Whether mounting by a user is denied without the `user` option in fstab"
):
machine.succeed("mkdir -p /user-mount/denied-source")
machine.succeed("touch /user-mount/denied-source/file")
machine.succeed("chmod -R a+Xr /user-mount/denied-source")
machine.succeed("mkdir /user-mount/denied-point")
machine.succeed("chown alice:users /user-mount/denied-point")
machine.fail("su - alice -c 'mount /user-mount/denied-point'")
with subtest("shell-vars"): with subtest("shell-vars"):
machine.succeed('[ -n "$NIX_PATH" ]') machine.succeed('[ -n "$NIX_PATH" ]')