diff options
| author | John Ericson <John.Ericson@Obsidian.Systems> | 2023-02-02 13:20:44 -0500 |
|---|---|---|
| committer | John Ericson <John.Ericson@Obsidian.Systems> | 2023-02-02 14:17:24 -0500 |
| commit | a47e055e090a85884413dfc7889897f4e3d831fb (patch) | |
| tree | bbffaaa40b1bfdf49bee1136c9dec1962134b10c /src/libstore/daemon.cc | |
| parent | 5cbeff64f22c854ebeebeb81d6ac247f1ee6aa2a (diff) | |
Move `trustedUsers` and `allowedUsers` to separate config struct
These settings are not needed for libstore at all, they are just used by
the nix daemon *command* for authorization on unix domain sockets. My
moving them to a new configuration struct just in that file, we avoid
them leaking anywhere else.
Also, it is good to break up the mammoth `Settings` struct in general.
Issue #5638 tracks this.
The message is not changed because I do not want to regress in
convenience to the user. Just saying "this connection is not trusted"
doesn't tell them out to fix the issue. The ideal thing to do would be
to somehow parameterize `processCommand` on how the error should be
displayed, so different sorts of connections can display different
information to the user based on how authentication is performed for the
connection in question. This, however, is a good bit more work, so it is
left for the future.
This came up with me thinking about the tcp:// store (#5265). The larger
project is not TCP *per se*, but the idea that it should be possible for
something else to manage access control to services like the Nix Daemon,
and those services simply trust or trust the incoming connection as they
are told. This is a more capability-oriented way of thinking about trust
than "every server implements its own auth separately" as we are used to today.
Its very great that libstore itself already implements just this model,
and so via this refactor I basically want to "enshrine" that so it
continues to be the case.
Diffstat (limited to 'src/libstore/daemon.cc')
| -rw-r--r-- | src/libstore/daemon.cc | 13 |
1 files changed, 11 insertions, 2 deletions
diff --git a/src/libstore/daemon.cc b/src/libstore/daemon.cc index d6621ec0b..591693a64 100644 --- a/src/libstore/daemon.cc +++ b/src/libstore/daemon.cc @@ -529,7 +529,14 @@ static void performOp(TunnelLogger * logger, ref<Store> store, mode = (BuildMode) readInt(from); /* Repairing is not atomic, so disallowed for "untrusted" - clients. */ + clients. + + FIXME: layer violation in this message: the daemon code (i.e. + this file) knows whether a client/connection is trusted, but it + does not how how the client was authenticated. The mechanism + need not be getting the UID of the other end of a Unix Domain + Socket. + */ if (mode == bmRepair && !trusted) throw Error("repairing is not allowed because you are not in 'trusted-users'"); } @@ -546,7 +553,9 @@ static void performOp(TunnelLogger * logger, ref<Store> store, mode = (BuildMode) readInt(from); /* Repairing is not atomic, so disallowed for "untrusted" - clients. */ + clients. + + FIXME: layer violation; see above. */ if (mode == bmRepair && !trusted) throw Error("repairing is not allowed because you are not in 'trusted-users'"); |