Merge branch 'daemon-auth-cleanup' of github.com:obsidiansystems/nix into HEAD

author: John Ericson <John.Ericson@Obsidian.Systems> 2020-08-12 18:22:31 +0000
committer: John Ericson <John.Ericson@Obsidian.Systems> 2020-08-12 18:22:31 +0000
commit: 5d67f18c86f43d4efa57a5f0dcc3f1d27499ca2a (patch)
tree: e54d0542bb640201bbff46fc091267c0ff98269b /src/libstore
parent: 4720853129b6866775edd9f90ad6f10701f98a3c (diff)
parent: 8d4162ff9e940ea9e2f97b07f3030a722695901a (diff)
3 files changed, 9 insertions, 14 deletions
diff --git a/src/libstore/build.cc b/src/libstore/build.cc
index d6e6ad6a9..68dd3863c 100644
--- a/src/libstore/build.cc
+++ b/src/libstore/build.cc
@@ -2920,7 +2920,8 @@ void DerivationGoal::startDaemon()
                 FdSink to(remote.get());
                 try {
                     daemon::processConnection(store, from, to,
-                        daemon::NotTrusted, daemon::Recursive, "nobody", 65535);
+                        daemon::NotTrusted, daemon::Recursive,
+                        [&](Store & store) { store.createUser("nobody", 65535); });
                     debug("terminated daemon connection");
                 } catch (SysError &) {
                     ignoreException();
diff --git a/src/libstore/daemon.cc b/src/libstore/daemon.cc
index 5e568fc94..7a6eb99be 100644
--- a/src/libstore/daemon.cc
+++ b/src/libstore/daemon.cc
@@ -817,8 +817,7 @@ void processConnection(
     FdSink & to,
     TrustedFlag trusted,
     RecursiveFlag recursive,
-    const std::string & userName,
-    uid_t userId)
+    std::function<void(Store &)> authHook)
 {
     auto monitor = !recursive ? std::make_unique<MonitorFdHup>(from.fd) : nullptr;
 
@@ -859,15 +858,7 @@ void processConnection(
 
         /* If we can't accept clientVersion, then throw an error
            *here* (not above). */
-
-#if 0
-        /* Prevent users from doing something very dangerous. */
-        if (geteuid() == 0 &&
-            querySetting("build-users-group", "") == "")
-            throw Error("if you run 'nix-daemon' as root, then you MUST set 'build-users-group'!");
-#endif
-
-        store->createUser(userName, userId);
+        authHook(*store);
 
         tunnelLogger->stopWork();
         to.flush();
diff --git a/src/libstore/daemon.hh b/src/libstore/daemon.hh
index 266932013..841ace316 100644
--- a/src/libstore/daemon.hh
+++ b/src/libstore/daemon.hh
@@ -12,7 +12,10 @@ void processConnection(
     FdSink & to,
     TrustedFlag trusted,
     RecursiveFlag recursive,
-    const std::string & userName,
-    uid_t userId);
+    /* Arbitrary hook to check authorization / initialize user data / whatever
+       after the protocol has been negotiated. The idea is that this function
+       and everything it calls doesn't know about this stuff, and the
+       `nix-daemon` handles that instead. */
+    std::function<void(Store &)> authHook);
 
 }
author	John Ericson <John.Ericson@Obsidian.Systems>	2020-08-12 18:22:31 +0000
committer	John Ericson <John.Ericson@Obsidian.Systems>	2020-08-12 18:22:31 +0000
commit	5d67f18c86f43d4efa57a5f0dcc3f1d27499ca2a (patch)
tree	e54d0542bb640201bbff46fc091267c0ff98269b /src/libstore
parent	4720853129b6866775edd9f90ad6f10701f98a3c (diff)
parent	8d4162ff9e940ea9e2f97b07f3030a722695901a (diff)