* When NIX_REMOTE is set to "slave", fork off nix-worker in slave
mode. Presumably nix-worker would be setuid to the Nix store user. The worker performs all operations on the Nix store and database, so the caller can be completely unprivileged. This is already much more secure than the old setuid scheme, since the worker doesn't need to do Nix expression evaluation and so on. Most importantly, this means that it doesn't need to access any user files, with all resulting security risks; it only performs pure store operations. Once this works, it is easy to move to a daemon model that forks off a worker for connections established through a Unix domain socket. That would be even more secure.
This commit is contained in:
Eelco Dolstra
parent
40b3f64b55
commit
765bdfe542
5 changed files with 87 additions and 24 deletions
|
|
@ -1,35 +1,21 @@
|
|||
#include "shared.hh"
|
||||
#include "local-store.hh"
|
||||
#include "util.hh"
|
||||
#include "serialise.hh"
|
||||
|
||||
using namespace nix;
|
||||
|
||||
|
||||
/* !!! Mostly cut&pasted from util/archive.hh */
|
||||
/* Use buffered reads. */
|
||||
static unsigned int readInt(int fd)
|
||||
void processConnection(Source & from, Sink & to)
|
||||
{
|
||||
unsigned char buf[8];
|
||||
readFull(fd, buf, sizeof(buf));
|
||||
if (buf[4] || buf[5] || buf[6] || buf[7])
|
||||
throw Error("implementation cannot deal with > 32-bit integers");
|
||||
return
|
||||
buf[0] |
|
||||
(buf[1] << 8) |
|
||||
(buf[2] << 16) |
|
||||
(buf[3] << 24);
|
||||
}
|
||||
store = boost::shared_ptr<StoreAPI>(new LocalStore(true));
|
||||
|
||||
|
||||
void processConnection(int fdFrom, int fdTo)
|
||||
{
|
||||
store = openStore();
|
||||
|
||||
unsigned int magic = readInt(fdFrom);
|
||||
unsigned int magic = readInt(from);
|
||||
if (magic != 0x6e697864) throw Error("protocol mismatch");
|
||||
|
||||
|
||||
|
||||
writeInt(0x6478696e, to);
|
||||
|
||||
debug("greeting exchanged");
|
||||
}
|
||||
|
||||
|
||||
|
|
@ -43,8 +29,11 @@ void run(Strings args)
|
|||
if (arg == "--slave") slave = true;
|
||||
}
|
||||
|
||||
if (slave)
|
||||
processConnection(STDIN_FILENO, STDOUT_FILENO);
|
||||
if (slave) {
|
||||
FdSource source(STDIN_FILENO);
|
||||
FdSink sink(STDOUT_FILENO);
|
||||
processConnection(source, sink);
|
||||
}
|
||||
|
||||
else if (daemon)
|
||||
throw Error("daemon mode not implemented");
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue