Commit Graph

857 Commits

Author SHA1 Message Date
nicoo
454151375d nixos/sudo: Don't include empty sections
This makes the generated sudoers a touch easier to read.
2023-09-18 17:35:06 +00:00
nicoo
409d29ca73 nixos/sudo: Split up configFile into individual sections 2023-09-18 17:35:06 +00:00
datafoo
ade414b6c7 nixos/acme: rename option credentialsFile to environmentFile 2023-09-11 16:34:20 +00:00
datafoo
5f105f8778 nixos/acme: add option to set credential files
This is to leverage systemd credentials for variables suffixed by _FILE.
2023-09-11 16:34:20 +00:00
mib
2e66f109ed nixos/pam: fix typo in fscrypt enable option
mkEnableOption prepends "Whether to enable" to text, so this became
"Whether to enable Enables fscrypt ..."
2023-09-11 12:06:39 +02:00
Pierre Bourdon
bfdf28becf
Merge pull request #251770 from robryk/suidwrapapparm
nixos/security/wrappers: simplifications and a fix for #98863 (respin of #199599)
2023-09-10 09:51:36 +02:00
Oliver Schmidt
e362fe9c6d security/acme: limit concurrent certificate generations
fixes #232505

Implements the new option `security.acme.maxConcurrentRenewals` to limit
the number of certificate generation (or renewal) jobs that can run in
parallel. This avoids overloading the system resources with many
certificates or running into acme registry rate limits and network
timeouts.

Architecture considerations:
- simplicity, lightweight: Concerns have been voiced about making this
  already rather complex module even more convoluted. Additionally,
  locking solutions shall not significantly increase performance and
  footprint of individual job runs.
  To accomodate these concerns, this solution is implemented purely in
  Nix, bash, and using the light-weight `flock` util. To reduce
  complexity, jobs are already assigned their lockfile slot at system
  build time instead of dynamic locking and retrying. This comes at the
  cost of not always maxing out the permitted concurrency at runtime.
- no stale locks: Limiting concurrency via locking mechanism is usually
  approached with semaphores. Unfortunately, both SysV as well as
  POSIX-Semaphores are *not* released when the process currently locking
  them is SIGKILLed. This poses the danger of stale locks staying around
  and certificate renewal being blocked from running altogether.
  `flock` locks though are released when the process holding the file
  descriptor of the lock file is KILLed or terminated.
- lockfile generation: Lock files could either be created at build time
  in the Nix store or at script runtime in a idempotent manner.
  While the latter would be simpler to achieve, we might exceed the number
  of permitted concurrent runs during a system switch: Already running
  jobs are still locked on the existing lock files, while jobs started
  after the system switch will acquire locks on freshly created files,
  not being blocked by the still running services.
  For this reason, locks are generated and managed at runtime in the
  shared state directory `/var/lib/locks/`.

nixos/security/acme: move locks to /run

also, move over permission and directory management to systemd-tmpfiles

nixos/security/acme: fix some linter remarks in my code

there are some remarks left for existing code, not touching that

nixos/security/acme: redesign script locking flow

- get rid of subshell
- provide function for wrapping scripts in a locked environment

nixos/acme: improve visibility of blocking on locks

nixos/acme: add smoke test for concurrency limitation

heavily inspired by m1cr0man

nixos/acme: release notes entry on new concurrency limits

nixos/acme: cleanup, clarifications
2023-09-09 20:13:18 +02:00
nicoo
10b6e8ba21 nixos/sudo: Guard against security.sudo.package = pkgs.sudo-rs;
This is not unlikely to happen, given the enthusiasm shown by some users,
but we are not there yet, and this will save them from breaking their system.
2023-09-04 22:00:00 +00:00
Robert Obryk
c64bbd4466 nixos/security/wrappers: remove all the assertions about readlink(/proc/self/exe)
Given that we are no longer inspecting the target of the /proc/self/exe
symlink, stop asserting that it has any properties. Remove the plumbing
for wrappersDir, which is no longer used.

Asserting that the binary is located in the specific place is no longer
necessary, because we don't rely on that location being writable only by
privileged entities (we used to rely on that when assuming that
readlink(/proc/self/exe) will continue to point at us and when assuming
that the `.real` file can be trusted).

Assertions about lack of write bits on the file were
IMO meaningless since inception: ignoring the Linux's refusal to honor
S[UG]ID bits on files-writeable-by-others, if someone could have
modified the wrapper in a way that preserved the capability or S?ID
bits, they could just remove this check.

Assertions about effective UID were IMO just harmful: if we were
executed without elevation, the caller would expect the result that
would cause in a wrapperless distro: the targets gets executed without
elevation. Due to lack of elevation, that cannot be used to abuse
privileges that the elevation would give.

This change partially fixes #98863 for S[UG]ID wrappers. The issue for
capability wrappers remains.
2023-08-27 14:10:38 +02:00
Robert Obryk
e3550208de nixos/security/wrappers: read capabilities off /proc/self/exe directly
/proc/self/exe is a "fake" symlink. When it's opened, it always opens
the actual file that was execve()d in this process, even if the file was
deleted or renamed; if the file is no longer accessible from the current
chroot/mount namespace it will at the very worst fail and never open the
wrong file. Thus, we can make a much simpler argument that we're reading
capabilities off the correct file after this change (and that argument
doesn't rely on things such as protected_hardlinks being enabled, or no
users being able to write to /run/wrappers, or the verification that the
path readlink returns starts with /run/wrappers/).
2023-08-27 14:10:38 +02:00
Robert Obryk
1bdbc0b0fe nixos/security/wrappers: stop using .real files
Before this change it was crucial that nonprivileged users are unable to
create hardlinks to SUID wrappers, lest they be able to provide a
different `.real` file alongside. That was ensured by not providing a
location writable to them in the /run/wrappers tmpfs, (unless
disabled) by the fs.protected_hardlinks=1 sysctl, and by the explicit
own-path check in the wrapper. After this change, ensuring
that property is no longer important, and the check is most likely
redundant.

The simplification of expectations of the wrapper will make it
easier to remove some of the assertions in the wrapper (which currently
cause the wrapper to fail in no_new_privs environments, instead of
executing the target with non-elevated privileges).

Note that wrappers had to be copied (not symlinked) into /run/wrappers
due to the SUID/capability bits, and they couldn't be hard/softlinks of
each other due to those bits potentially differing. Thus, this change
doesn't increase the amount of memory used by /run/wrappers.

This change removes part of the test that is obsoleted by the removal of
`.real` files.
2023-08-27 14:10:36 +02:00
Robert Obryk
44fde723be nixos/security/wrappers: generate a separate and more complete apparmor policy fragment for each wrapper
This change includes some stuff (e.g. reading of the `.real` file,
execution of the wrapper's target) that belongs to the apparmor policy
of the wrapper. This necessitates making them distinct for each wrapper.
The main reason for this change is as a preparation for making each
wrapper be a distinct binary.
2023-08-27 14:10:07 +02:00
Pierre Bourdon
4428f3a79a
Revert "nixos/security/wrappers: simplifications and a fix for #98863" 2023-08-24 08:35:11 +02:00
Robert Obryk
ff204ca32b nixos/security/wrappers: remove all the assertions about readlink(/proc/self/exe)
Given that we are no longer inspecting the target of the /proc/self/exe
symlink, stop asserting that it has any properties. Remove the plumbing
for wrappersDir, which is no longer used.

Asserting that the binary is located in the specific place is no longer
necessary, because we don't rely on that location being writable only by
privileged entities (we used to rely on that when assuming that
readlink(/proc/self/exe) will continue to point at us and when assuming
that the `.real` file can be trusted).

Assertions about lack of write bits on the file were
IMO meaningless since inception: ignoring the Linux's refusal to honor
S[UG]ID bits on files-writeable-by-others, if someone could have
modified the wrapper in a way that preserved the capability or S?ID
bits, they could just remove this check.

Assertions about effective UID were IMO just harmful: if we were
executed without elevation, the caller would expect the result that
would cause in a wrapperless distro: the targets gets executed without
elevation. Due to lack of elevation, that cannot be used to abuse
privileges that the elevation would give.

This change partially fixes #98863 for S[UG]ID wrappers. The issue for
capability wrappers remains.
2023-08-16 11:33:22 +02:00
Robert Obryk
11ca4dcbb8 nixos/security/wrappers: read capabilities off /proc/self/exe directly
/proc/self/exe is a "fake" symlink. When it's opened, it always opens
the actual file that was execve()d in this process, even if the file was
deleted or renamed; if the file is no longer accessible from the current
chroot/mount namespace it will at the very worst fail and never open the
wrong file. Thus, we can make a much simpler argument that we're reading
capabilities off the correct file after this change (and that argument
doesn't rely on things such as protected_hardlinks being enabled, or no
users being able to write to /run/wrappers, or the verification that the
path readlink returns starts with /run/wrappers/).
2023-08-16 11:33:22 +02:00
Robert Obryk
ec36e0218f nixos/security/wrappers: stop using .real files
Before this change it was crucial that nonprivileged users are unable to
create hardlinks to SUID wrappers, lest they be able to provide a
different `.real` file alongside. That was ensured by not providing a
location writable to them in the /run/wrappers tmpfs, (unless
disabled) by the fs.protected_hardlinks=1 sysctl, and by the explicit
own-path check in the wrapper. After this change, ensuring
that property is no longer important, and the check is most likely
redundant.

The simplification of expectations of the wrapper will make it
easier to remove some of the assertions in the wrapper (which currently
cause the wrapper to fail in no_new_privs environments, instead of
executing the target with non-elevated privileges).

Note that wrappers had to be copied (not symlinked) into /run/wrappers
due to the SUID/capability bits, and they couldn't be hard/softlinks of
each other due to those bits potentially differing. Thus, this change
doesn't increase the amount of memory used by /run/wrappers.
2023-08-16 11:33:22 +02:00
Aaron Andersen
9d56365451 security/pam: add umask option to configure pam_mkhomedir 2023-08-10 20:35:08 -04:00
Ryan Lahfa
ec409e6f79
Merge pull request #231673 from symphorien/suid_wrappers_userns 2023-08-10 11:52:59 +02:00
Guillaume Girol
0e4b8a05b2 nixos/wrappers: allow setuid and setgid wrappers to run in user namespaces
In user namespaces where an unprivileged user is mapped as root and root
is unmapped, setuid bits have no effect. However setuid root
executables like mount are still usable *in the namespace* as the user
already has the required privileges. This commit detects the situation
where the wrapper gained no privileges that the parent process did not
already have and in this case does less sanity checking. In short there
is no need to be picky since the parent already can execute the foo.real
executable themselves.

Details:
man 7 user_namespaces:
   Set-user-ID and set-group-ID programs
       When a process inside a user namespace executes a set-user-ID
       (set-group-ID) program, the process's effective user (group) ID
       inside the namespace is changed to whatever value is mapped for
       the user (group) ID of the file.  However, if either the user or
       the group ID of the file has no mapping inside the namespace, the
       set-user-ID (set-group-ID) bit is silently ignored: the new
       program is executed, but the process's effective user (group) ID
       is left unchanged.  (This mirrors the semantics of executing a
       set-user-ID or set-group-ID program that resides on a filesystem
       that was mounted with the MS_NOSUID flag, as described in
       mount(2).)

The effect of the setuid bit is that the real user id is preserved and
the effective and set user ids are changed to the owner of the wrapper.
We detect that no privilege was gained by checking that euid == suid
== ruid. In this case we stop checking that euid == owner of the
wrapper file.

As a reminder here are the values of euid, ruid, suid, stat.st_uid and
stat.st_mode & S_ISUID in various cases when running a setuid 42 executable as user 1000:

Normal case:
ruid=1000 euid=42 suid=42
setuid=2048, st_uid=42

nosuid mount:
ruid=1000 euid=1000 suid=1000
setuid=2048, st_uid=42

inside unshare -rm:
ruid=0 euid=0 suid=0
setuid=2048, st_uid=65534

inside unshare -rm, on a suid mount:
ruid=0 euid=0 suid=0
setuid=2048, st_uid=65534
2023-08-09 12:00:00 +00:00
Lin Jian
74fadae942
treewide: stop using types.string
It is an error[1] now.

[1]: https://github.com/NixOS/nixpkgs/pull/247848
2023-08-08 21:31:21 +08:00
ajs124
bf4d2e6c1e
Merge pull request #242538 from tnias/fix/apparmor
apparmor: add some policies and improve abstractions and utils
2023-08-04 13:05:52 +02:00
Philipp Bartsch
0f474b4c6c nixos/apparmor: support custom i18n glibc locales
The i18n nixos module creates a customized glibcLocales package.
Use the system specific glibcLocale instead of the vanilla one.
2023-07-12 21:38:31 +02:00
Philipp Bartsch
ad7ffe3a7c nixos/apparmor: fix syntax in abstractions/bash 2023-07-09 22:25:30 +02:00
Philipp Bartsch
9145e6df84 nixos/apparmor: add missing abstraction/nss-systemd
The abstraction/nameservice profile from apparmor-profiles package
includes abstractions/nss-systemd. Without "reexporting" it,
the include fails and we get some errors.
2023-07-09 22:21:44 +02:00
Jacob Moody
5f97e78c64 pam_dp9ik: init at 1.5 2023-07-09 14:12:21 -05:00
Philipp Bartsch
0eabede44b nixos/apparmor: make abstractions/ssl_certs more go friendly
By default golang's crypto/x509 implementation wants to read
/etc/pki/tls/certs/ when loading system certificates.

This patch adds the path to reduce audit log noise.

Relevant code:
- https://github.com/golang/go/blob/go1.20.5/src/crypto/x509/root_unix.go#L32-L82
- https://github.com/golang/go/blob/go1.20.5/src/crypto/x509/root_linux.go#L17-L22
2023-07-08 00:53:27 +02:00
Michael Hoang
98d970bc37 nixos/qemu-vm: use CA certificates from host 2023-07-06 21:32:08 +10:00
Felix Buehler
933a41a73f treewide: use optional instead of 'then []' 2023-06-25 09:11:40 -03:00
Max
34a4165674 nixos/pam: support Kanidm 2023-06-11 17:17:42 +02:00
Jenny
0adbf8feb4
nixos/pam_mount: fix mounts without options (#234026)
This commit adds a comma in front of the given options, which makes the
mounts still succeed even if no options are given.

Fixes #233946
2023-05-25 22:45:59 +02:00
Jenny
7abd408b7f
nixos/pam_mount: fix cryptmount options (#232873)
There was a bug in the pam_mount module that crypt mount options were
not passed to the mount.crypt command. This is now fixed and
additionally, a cryptMountOptions NixOS option is added to define mount
options that should apply to all crypt mounts.

Fixes #230920
2023-05-20 17:40:36 +02:00
Robert Hensing
25f227fc67
Merge pull request #231316 from hercules-ci/nixos-system.checks
NixOS: add `system.checks`
2023-05-15 23:16:29 +02:00
Nick Cao
1de301aef3
Merge pull request #231954 from mac-chaffee/acme-ipv6
nixos/security/acme: Fix listenHTTP bug with IPv6 addresses
2023-05-15 07:30:57 -06:00
Raito Bezarius
3f446bfbd3 nixos/pam: fix ZFS support assertion
It was always complaining even if you didn't enable PAM ZFS.
2023-05-15 12:06:04 +02:00
Nicola Squartini
87cbaf7ce3 nixos/pam: assert ZFS support for PAM module 2023-05-15 09:22:42 +02:00
Nicola Squartini
5466f76755 nixos/pam: improve documentation of ZFS module 2023-05-15 09:22:39 +02:00
Nicola Squartini
09f4bf7f16 nixos/pam: enable unlocking ZFS home dataset 2023-05-15 09:20:40 +02:00
Mac Chaffee
33b15fdce0
security/acme: Fix listenHTTP bug with IPv6 addresses 2023-05-14 20:27:52 -04:00
Robert Hensing
2e2f0d28ea nixos: Use checks instead of extraDependencies
... as appropriate.

This drops a few unnecessary store paths from the system closure.
2023-05-11 21:18:38 +02:00
Ryan Lahfa
fe7b996d66
Merge pull request #230857 from s1341/bugfix_pam_sssd
nixos/pam: Allow password changing via sssd
2023-05-10 16:56:47 +02:00
fetsorn
5e77899001 nixos/tpm2: fix typo
"acess" -> "access"
2023-05-09 18:02:17 +04:00
fetsorn
ac5f6d9100 nixos/apparmor: fix typo
"usualy" -> "usually"
2023-05-09 18:02:17 +04:00
s1341
e2d538fead pam: remove unused try_first_pass 2023-05-09 13:45:15 +03:00
s1341
765ae4d581 nixos/pam: allow changing password using sssd 2023-05-09 13:43:06 +03:00
Nick Cao
3e3d82f42c
Merge pull request #227232 from datafoo/nixos-acme-fix-options-type
nixos/acme: fix options type
2023-04-24 10:01:04 +08:00
Artturi
b83db86a9e
Merge pull request #222080 from Stunkymonkey/nixos-optionalString 2023-04-20 16:07:30 +03:00
datafoo
2890af5e4b nixos/acme: fix options type
null is a possible default so the type must reflect that.
2023-04-20 11:52:57 +02:00
Felix Buehler
327b0cff7a treewide: use more lib.optionalString 2023-04-07 13:38:33 +02:00
Benjamin Staffin
ff296a777e
Merge pull request #207115 from s1341/init_freeipa
freeipa: init at 4.10.1
2023-03-30 13:15:18 -04:00
github-actions[bot]
d761f69867
Merge master into staging-next 2023-03-17 17:57:00 +00:00