Commit Graph

876 Commits

Author SHA1 Message Date
Majiir Paktu
3c85d159f7 nixos/pam: automatically populate rule type
Eliminates a redundancy between the 'rules' suboptions and the type
specified in each rule.

We eventually want to give each rule a name so that we can merge config
overrides. The PAM name is a natural choice for rule name, but a PAM is
often used in multiple rule types. Organizing rules by type and rule
name avoids name collisions.
2023-10-09 23:17:15 -04:00
Majiir Paktu
d6bb805932 nixos/pam: extract header comments
Unblocks converting the rules from one big string to a rich data
structure.
2023-10-09 20:40:19 -04:00
Majiir Paktu
0f9d719d8a nixos/pam: split rule lists into individual rules 2023-09-24 18:37:10 -04:00
Majiir Paktu
dd458977a0 nixos/pam: clean up rules
Makes the rules more uniform in structure and style. This makes it
easier to automate subsequent commits. No behavior changes.
2023-09-24 18:37:10 -04:00
Maciej Krüger
8e9b72be82
nixos/sudo-rs: add crossCompile 'fix'
This is just a quick fix based on pname,
as I have no idea how to use slicing in the module

We should instead use slicing to get the package for the host
2023-09-22 15:14:14 +02:00
Maciej Krüger
7c8b8bd3e4
nixos/sudo-rs: init
adds a new sudo-rs module that contains sudo-rs changes removed from sudo module
2023-09-22 15:14:13 +02:00
Maciej Krüger
57d41f9751
nixos/sudo: revert sudo-rs 922926cfbc (partial #253876)
This reverts the module changes that were added
by the addition of sudo-rs (merge 922926cfbc) from the sudo module.

Individual commits reverted:
* 409d29ca73 2023-08-31 | [nicoo] nixos/sudo: Split up `configFile` into individual sections
* 454151375d 2023-09-04 | [nicoo] nixos/sudo: Don't include empty sections
* 8742134c80 2023-09-04 | [nicoo] nixos/sudo: Only keep SSH_AUTH_SOCK if used for authentication
* f5aadb56be 2023-09-07 | [nicoo] nixos/sudo: Refactor option definitions
* 8b9e867ac8 2023-09-07 | [nicoo] nixos/sudo: Refactor checks for Todd C. Miller's implemetation
* 3a95964fd5 2023-09-07 | [nicoo] nixos/sudo: Drop useless `lib.` qualifiers
* b1eab8ca53 2023-09-07 | [nicoo] nixos/sudo: Handle `root`'s default rule through `extraRules`
* 717e51a140 2023-09-07 | [nicoo] nixos/sudo: Make the default rules' options configurable
* c11da39117 2023-09-07 | [nicoo] nixos/sudo: Drop the sudoers comment for `extraRules`
* f0107b4f63 2023-09-07 | [nicoo] nixos/sudo: Check syntax using the configured package
* 914bf58369 2023-09-07 | [nicoo] nixos/{sudo, terminfo}: Adjust defaults for compatibility with `sudo-rs`
* f66eb0df3b 2023-09-07 | [nicoo] nixos/sudo: Only wrap `sudoedit` when using Miller's sudo
* d63eb55e81 2023-09-13 | [nicoo] nixos/sudo: Generate `sudo-i` PAM config for interactive use of `sudo-rs`
* d8d0b8019f 2023-09-13 | [nicoo] nixos/sudo: Add myself as maintainer (nbraud/nixos/sudo-rs)
2023-09-22 15:13:56 +02:00
nicoo
d8d0b8019f nixos/sudo: Add myself as maintainer 2023-09-18 18:03:58 +00:00
nicoo
d63eb55e81 nixos/sudo: Generate sudo-i PAM config for interactive use of sudo-rs 2023-09-18 18:03:58 +00:00
nicoo
f66eb0df3b nixos/sudo: Only wrap sudoedit when using Miller's sudo 2023-09-18 17:36:15 +00:00
nicoo
914bf58369 nixos/{sudo, terminfo}: Adjust defaults for compatibility with sudo-rs 2023-09-18 17:36:15 +00:00
nicoo
f0107b4f63 nixos/sudo: Check syntax using the configured package
This is preferable even for regular `sudo`, but will ensure the check is useful
when using `sudo-rs` in the future.

Also, dropped antediluvian comment about the syntax check being disabled,
when it was clearly not commented out:
  - introduced in 2007, commit 6d65f0ae03ae14f3e978d89959253d9a8f5e0ec1;
  - reverted in 2014, commit e68a5b265a,
    but without ammending the comments.
2023-09-18 17:36:15 +00:00
nicoo
c11da39117 nixos/sudo: Drop the sudoers comment for extraRules
All rules are now handled through `extraRules`,
and it is never empty so `optionalString` isn't needed either.
2023-09-18 17:36:15 +00:00
nicoo
717e51a140 nixos/sudo: Make the default rules' options configurable 2023-09-18 17:36:15 +00:00
nicoo
b1eab8ca53 nixos/sudo: Handle root's default rule through extraRules
This makes things more uniform, and simplifies compatibility with sudo-rs.

Moreover, users can not inject rules before this if they need to.
2023-09-18 17:35:45 +00:00
nicoo
3a95964fd5 nixos/sudo: Drop useless lib. qualifiers
Also normalise indentation for `mdDoc` to what's prevalent in this file.
2023-09-18 17:35:07 +00:00
nicoo
8b9e867ac8 nixos/sudo: Refactor checks for Todd C. Miller's implemetation 2023-09-18 17:35:07 +00:00
nicoo
f5aadb56be nixos/sudo: Refactor option definitions 2023-09-18 17:35:06 +00:00
nicoo
8742134c80 nixos/sudo: Only keep SSH_AUTH_SOCK if used for authentication
This will make compatibility with `sudo-rs` easier.
2023-09-18 17:35:06 +00:00
nicoo
454151375d nixos/sudo: Don't include empty sections
This makes the generated sudoers a touch easier to read.
2023-09-18 17:35:06 +00:00
nicoo
409d29ca73 nixos/sudo: Split up configFile into individual sections 2023-09-18 17:35:06 +00:00
datafoo
ade414b6c7 nixos/acme: rename option credentialsFile to environmentFile 2023-09-11 16:34:20 +00:00
datafoo
5f105f8778 nixos/acme: add option to set credential files
This is to leverage systemd credentials for variables suffixed by _FILE.
2023-09-11 16:34:20 +00:00
mib
2e66f109ed nixos/pam: fix typo in fscrypt enable option
mkEnableOption prepends "Whether to enable" to text, so this became
"Whether to enable Enables fscrypt ..."
2023-09-11 12:06:39 +02:00
Pierre Bourdon
bfdf28becf
Merge pull request #251770 from robryk/suidwrapapparm
nixos/security/wrappers: simplifications and a fix for #98863 (respin of #199599)
2023-09-10 09:51:36 +02:00
Oliver Schmidt
e362fe9c6d security/acme: limit concurrent certificate generations
fixes #232505

Implements the new option `security.acme.maxConcurrentRenewals` to limit
the number of certificate generation (or renewal) jobs that can run in
parallel. This avoids overloading the system resources with many
certificates or running into acme registry rate limits and network
timeouts.

Architecture considerations:
- simplicity, lightweight: Concerns have been voiced about making this
  already rather complex module even more convoluted. Additionally,
  locking solutions shall not significantly increase performance and
  footprint of individual job runs.
  To accomodate these concerns, this solution is implemented purely in
  Nix, bash, and using the light-weight `flock` util. To reduce
  complexity, jobs are already assigned their lockfile slot at system
  build time instead of dynamic locking and retrying. This comes at the
  cost of not always maxing out the permitted concurrency at runtime.
- no stale locks: Limiting concurrency via locking mechanism is usually
  approached with semaphores. Unfortunately, both SysV as well as
  POSIX-Semaphores are *not* released when the process currently locking
  them is SIGKILLed. This poses the danger of stale locks staying around
  and certificate renewal being blocked from running altogether.
  `flock` locks though are released when the process holding the file
  descriptor of the lock file is KILLed or terminated.
- lockfile generation: Lock files could either be created at build time
  in the Nix store or at script runtime in a idempotent manner.
  While the latter would be simpler to achieve, we might exceed the number
  of permitted concurrent runs during a system switch: Already running
  jobs are still locked on the existing lock files, while jobs started
  after the system switch will acquire locks on freshly created files,
  not being blocked by the still running services.
  For this reason, locks are generated and managed at runtime in the
  shared state directory `/var/lib/locks/`.

nixos/security/acme: move locks to /run

also, move over permission and directory management to systemd-tmpfiles

nixos/security/acme: fix some linter remarks in my code

there are some remarks left for existing code, not touching that

nixos/security/acme: redesign script locking flow

- get rid of subshell
- provide function for wrapping scripts in a locked environment

nixos/acme: improve visibility of blocking on locks

nixos/acme: add smoke test for concurrency limitation

heavily inspired by m1cr0man

nixos/acme: release notes entry on new concurrency limits

nixos/acme: cleanup, clarifications
2023-09-09 20:13:18 +02:00
nicoo
10b6e8ba21 nixos/sudo: Guard against security.sudo.package = pkgs.sudo-rs;
This is not unlikely to happen, given the enthusiasm shown by some users,
but we are not there yet, and this will save them from breaking their system.
2023-09-04 22:00:00 +00:00
Robert Obryk
c64bbd4466 nixos/security/wrappers: remove all the assertions about readlink(/proc/self/exe)
Given that we are no longer inspecting the target of the /proc/self/exe
symlink, stop asserting that it has any properties. Remove the plumbing
for wrappersDir, which is no longer used.

Asserting that the binary is located in the specific place is no longer
necessary, because we don't rely on that location being writable only by
privileged entities (we used to rely on that when assuming that
readlink(/proc/self/exe) will continue to point at us and when assuming
that the `.real` file can be trusted).

Assertions about lack of write bits on the file were
IMO meaningless since inception: ignoring the Linux's refusal to honor
S[UG]ID bits on files-writeable-by-others, if someone could have
modified the wrapper in a way that preserved the capability or S?ID
bits, they could just remove this check.

Assertions about effective UID were IMO just harmful: if we were
executed without elevation, the caller would expect the result that
would cause in a wrapperless distro: the targets gets executed without
elevation. Due to lack of elevation, that cannot be used to abuse
privileges that the elevation would give.

This change partially fixes #98863 for S[UG]ID wrappers. The issue for
capability wrappers remains.
2023-08-27 14:10:38 +02:00
Robert Obryk
e3550208de nixos/security/wrappers: read capabilities off /proc/self/exe directly
/proc/self/exe is a "fake" symlink. When it's opened, it always opens
the actual file that was execve()d in this process, even if the file was
deleted or renamed; if the file is no longer accessible from the current
chroot/mount namespace it will at the very worst fail and never open the
wrong file. Thus, we can make a much simpler argument that we're reading
capabilities off the correct file after this change (and that argument
doesn't rely on things such as protected_hardlinks being enabled, or no
users being able to write to /run/wrappers, or the verification that the
path readlink returns starts with /run/wrappers/).
2023-08-27 14:10:38 +02:00
Robert Obryk
1bdbc0b0fe nixos/security/wrappers: stop using .real files
Before this change it was crucial that nonprivileged users are unable to
create hardlinks to SUID wrappers, lest they be able to provide a
different `.real` file alongside. That was ensured by not providing a
location writable to them in the /run/wrappers tmpfs, (unless
disabled) by the fs.protected_hardlinks=1 sysctl, and by the explicit
own-path check in the wrapper. After this change, ensuring
that property is no longer important, and the check is most likely
redundant.

The simplification of expectations of the wrapper will make it
easier to remove some of the assertions in the wrapper (which currently
cause the wrapper to fail in no_new_privs environments, instead of
executing the target with non-elevated privileges).

Note that wrappers had to be copied (not symlinked) into /run/wrappers
due to the SUID/capability bits, and they couldn't be hard/softlinks of
each other due to those bits potentially differing. Thus, this change
doesn't increase the amount of memory used by /run/wrappers.

This change removes part of the test that is obsoleted by the removal of
`.real` files.
2023-08-27 14:10:36 +02:00
Robert Obryk
44fde723be nixos/security/wrappers: generate a separate and more complete apparmor policy fragment for each wrapper
This change includes some stuff (e.g. reading of the `.real` file,
execution of the wrapper's target) that belongs to the apparmor policy
of the wrapper. This necessitates making them distinct for each wrapper.
The main reason for this change is as a preparation for making each
wrapper be a distinct binary.
2023-08-27 14:10:07 +02:00
Pierre Bourdon
4428f3a79a
Revert "nixos/security/wrappers: simplifications and a fix for #98863" 2023-08-24 08:35:11 +02:00
Robert Obryk
ff204ca32b nixos/security/wrappers: remove all the assertions about readlink(/proc/self/exe)
Given that we are no longer inspecting the target of the /proc/self/exe
symlink, stop asserting that it has any properties. Remove the plumbing
for wrappersDir, which is no longer used.

Asserting that the binary is located in the specific place is no longer
necessary, because we don't rely on that location being writable only by
privileged entities (we used to rely on that when assuming that
readlink(/proc/self/exe) will continue to point at us and when assuming
that the `.real` file can be trusted).

Assertions about lack of write bits on the file were
IMO meaningless since inception: ignoring the Linux's refusal to honor
S[UG]ID bits on files-writeable-by-others, if someone could have
modified the wrapper in a way that preserved the capability or S?ID
bits, they could just remove this check.

Assertions about effective UID were IMO just harmful: if we were
executed without elevation, the caller would expect the result that
would cause in a wrapperless distro: the targets gets executed without
elevation. Due to lack of elevation, that cannot be used to abuse
privileges that the elevation would give.

This change partially fixes #98863 for S[UG]ID wrappers. The issue for
capability wrappers remains.
2023-08-16 11:33:22 +02:00
Robert Obryk
11ca4dcbb8 nixos/security/wrappers: read capabilities off /proc/self/exe directly
/proc/self/exe is a "fake" symlink. When it's opened, it always opens
the actual file that was execve()d in this process, even if the file was
deleted or renamed; if the file is no longer accessible from the current
chroot/mount namespace it will at the very worst fail and never open the
wrong file. Thus, we can make a much simpler argument that we're reading
capabilities off the correct file after this change (and that argument
doesn't rely on things such as protected_hardlinks being enabled, or no
users being able to write to /run/wrappers, or the verification that the
path readlink returns starts with /run/wrappers/).
2023-08-16 11:33:22 +02:00
Robert Obryk
ec36e0218f nixos/security/wrappers: stop using .real files
Before this change it was crucial that nonprivileged users are unable to
create hardlinks to SUID wrappers, lest they be able to provide a
different `.real` file alongside. That was ensured by not providing a
location writable to them in the /run/wrappers tmpfs, (unless
disabled) by the fs.protected_hardlinks=1 sysctl, and by the explicit
own-path check in the wrapper. After this change, ensuring
that property is no longer important, and the check is most likely
redundant.

The simplification of expectations of the wrapper will make it
easier to remove some of the assertions in the wrapper (which currently
cause the wrapper to fail in no_new_privs environments, instead of
executing the target with non-elevated privileges).

Note that wrappers had to be copied (not symlinked) into /run/wrappers
due to the SUID/capability bits, and they couldn't be hard/softlinks of
each other due to those bits potentially differing. Thus, this change
doesn't increase the amount of memory used by /run/wrappers.
2023-08-16 11:33:22 +02:00
Aaron Andersen
9d56365451 security/pam: add umask option to configure pam_mkhomedir 2023-08-10 20:35:08 -04:00
Ryan Lahfa
ec409e6f79
Merge pull request #231673 from symphorien/suid_wrappers_userns 2023-08-10 11:52:59 +02:00
Guillaume Girol
0e4b8a05b2 nixos/wrappers: allow setuid and setgid wrappers to run in user namespaces
In user namespaces where an unprivileged user is mapped as root and root
is unmapped, setuid bits have no effect. However setuid root
executables like mount are still usable *in the namespace* as the user
already has the required privileges. This commit detects the situation
where the wrapper gained no privileges that the parent process did not
already have and in this case does less sanity checking. In short there
is no need to be picky since the parent already can execute the foo.real
executable themselves.

Details:
man 7 user_namespaces:
   Set-user-ID and set-group-ID programs
       When a process inside a user namespace executes a set-user-ID
       (set-group-ID) program, the process's effective user (group) ID
       inside the namespace is changed to whatever value is mapped for
       the user (group) ID of the file.  However, if either the user or
       the group ID of the file has no mapping inside the namespace, the
       set-user-ID (set-group-ID) bit is silently ignored: the new
       program is executed, but the process's effective user (group) ID
       is left unchanged.  (This mirrors the semantics of executing a
       set-user-ID or set-group-ID program that resides on a filesystem
       that was mounted with the MS_NOSUID flag, as described in
       mount(2).)

The effect of the setuid bit is that the real user id is preserved and
the effective and set user ids are changed to the owner of the wrapper.
We detect that no privilege was gained by checking that euid == suid
== ruid. In this case we stop checking that euid == owner of the
wrapper file.

As a reminder here are the values of euid, ruid, suid, stat.st_uid and
stat.st_mode & S_ISUID in various cases when running a setuid 42 executable as user 1000:

Normal case:
ruid=1000 euid=42 suid=42
setuid=2048, st_uid=42

nosuid mount:
ruid=1000 euid=1000 suid=1000
setuid=2048, st_uid=42

inside unshare -rm:
ruid=0 euid=0 suid=0
setuid=2048, st_uid=65534

inside unshare -rm, on a suid mount:
ruid=0 euid=0 suid=0
setuid=2048, st_uid=65534
2023-08-09 12:00:00 +00:00
Lin Jian
74fadae942
treewide: stop using types.string
It is an error[1] now.

[1]: https://github.com/NixOS/nixpkgs/pull/247848
2023-08-08 21:31:21 +08:00
ajs124
bf4d2e6c1e
Merge pull request #242538 from tnias/fix/apparmor
apparmor: add some policies and improve abstractions and utils
2023-08-04 13:05:52 +02:00
Philipp Bartsch
0f474b4c6c nixos/apparmor: support custom i18n glibc locales
The i18n nixos module creates a customized glibcLocales package.
Use the system specific glibcLocale instead of the vanilla one.
2023-07-12 21:38:31 +02:00
Philipp Bartsch
ad7ffe3a7c nixos/apparmor: fix syntax in abstractions/bash 2023-07-09 22:25:30 +02:00
Philipp Bartsch
9145e6df84 nixos/apparmor: add missing abstraction/nss-systemd
The abstraction/nameservice profile from apparmor-profiles package
includes abstractions/nss-systemd. Without "reexporting" it,
the include fails and we get some errors.
2023-07-09 22:21:44 +02:00
Jacob Moody
5f97e78c64 pam_dp9ik: init at 1.5 2023-07-09 14:12:21 -05:00
Philipp Bartsch
0eabede44b nixos/apparmor: make abstractions/ssl_certs more go friendly
By default golang's crypto/x509 implementation wants to read
/etc/pki/tls/certs/ when loading system certificates.

This patch adds the path to reduce audit log noise.

Relevant code:
- https://github.com/golang/go/blob/go1.20.5/src/crypto/x509/root_unix.go#L32-L82
- https://github.com/golang/go/blob/go1.20.5/src/crypto/x509/root_linux.go#L17-L22
2023-07-08 00:53:27 +02:00
Michael Hoang
98d970bc37 nixos/qemu-vm: use CA certificates from host 2023-07-06 21:32:08 +10:00
Felix Buehler
933a41a73f treewide: use optional instead of 'then []' 2023-06-25 09:11:40 -03:00
Max
34a4165674 nixos/pam: support Kanidm 2023-06-11 17:17:42 +02:00
Jenny
0adbf8feb4
nixos/pam_mount: fix mounts without options (#234026)
This commit adds a comma in front of the given options, which makes the
mounts still succeed even if no options are given.

Fixes #233946
2023-05-25 22:45:59 +02:00
Jenny
7abd408b7f
nixos/pam_mount: fix cryptmount options (#232873)
There was a bug in the pam_mount module that crypt mount options were
not passed to the mount.crypt command. This is now fixed and
additionally, a cryptMountOptions NixOS option is added to define mount
options that should apply to all crypt mounts.

Fixes #230920
2023-05-20 17:40:36 +02:00