Merge pull request #28189 from Nadrieril/ffsync-non-root

firefox syncserver service: run as non-root user by default
This commit is contained in:
Frederik Rietdijk 2017-08-24 20:47:52 +02:00 committed by GitHub
commit 31ba3649ec
2 changed files with 57 additions and 3 deletions

View File

@ -154,6 +154,14 @@ rmdir /var/lib/ipfs/.ipfs
variables as parameters. variables as parameters.
</para> </para>
</listitem> </listitem>
<listitem>
<para>
<literal>services.firefox.syncserver</literal> now runs by default as a
non-root user. To accomodate this change, the default sqlite database
location has also been changed. Migration should work automatically.
Refer to the description of the options for more details.
</para>
</listitem>
</itemizedlist> </itemizedlist>
<para>Other notable improvements:</para> <para>Other notable improvements:</para>

View File

@ -4,6 +4,10 @@ with lib;
let let
cfg = config.services.firefox.syncserver; cfg = config.services.firefox.syncserver;
defaultDbLocation = "/var/db/firefox-sync-server/firefox-sync-server.db";
defaultSqlUri = "sqlite:///${defaultDbLocation}";
syncServerIni = pkgs.writeText "syncserver.ini" '' syncServerIni = pkgs.writeText "syncserver.ini" ''
[DEFAULT] [DEFAULT]
overrides = ${cfg.privateConfig} overrides = ${cfg.privateConfig}
@ -25,6 +29,7 @@ let
backend = tokenserver.verifiers.LocalVerifier backend = tokenserver.verifiers.LocalVerifier
audiences = ${removeSuffix "/" cfg.publicUrl} audiences = ${removeSuffix "/" cfg.publicUrl}
''; '';
in in
{ {
@ -65,6 +70,18 @@ in
''; '';
}; };
user = mkOption {
type = types.str;
default = "syncserver";
description = "User account under which syncserver runs.";
};
group = mkOption {
type = types.str;
default = "syncserver";
description = "Group account under which syncserver runs.";
};
publicUrl = mkOption { publicUrl = mkOption {
type = types.str; type = types.str;
default = "http://localhost:5000/"; default = "http://localhost:5000/";
@ -85,7 +102,7 @@ in
sqlUri = mkOption { sqlUri = mkOption {
type = types.str; type = types.str;
default = "sqlite:////var/db/firefox-sync-server.db"; default = defaultSqlUri;
example = "postgresql://scott:tiger@localhost/test"; example = "postgresql://scott:tiger@localhost/test";
description = '' description = ''
The location of the database. This URL is composed of The location of the database. This URL is composed of
@ -126,16 +143,45 @@ in
description = "Firefox Sync Server"; description = "Firefox Sync Server";
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
path = [ pkgs.coreutils syncServerEnv ]; path = [ pkgs.coreutils syncServerEnv ];
serviceConfig = {
User = cfg.user;
Group = cfg.group;
PermissionsStartOnly = true;
};
preStart = '' preStart = ''
if ! test -e ${cfg.privateConfig}; then if ! test -e ${cfg.privateConfig}; then
umask u=rwx,g=x,o=x mkdir -m 700 -p $(dirname ${cfg.privateConfig})
mkdir -p $(dirname ${cfg.privateConfig})
echo > ${cfg.privateConfig} '[syncserver]' echo > ${cfg.privateConfig} '[syncserver]'
echo >> ${cfg.privateConfig} "secret = $(head -c 20 /dev/urandom | sha1sum | tr -d ' -')" echo >> ${cfg.privateConfig} "secret = $(head -c 20 /dev/urandom | sha1sum | tr -d ' -')"
fi fi
chown ${cfg.user}:${cfg.group} ${cfg.privateConfig}
'' + optionalString (cfg.sqlUri == defaultSqlUri) ''
if ! test -e $(dirname ${defaultDbLocation}); then
mkdir -m 700 -p $(dirname ${defaultDbLocation})
chown ${cfg.user}:${cfg.group} $(dirname ${defaultDbLocation})
fi
# Move previous database file if it exists
oldDb="/var/db/firefox-sync-server.db"
if test -f $oldDb; then
mv $oldDb ${defaultDbLocation}
chown ${cfg.user}:${cfg.group} ${defaultDbLocation}
fi
''; '';
serviceConfig.ExecStart = "${syncServerEnv}/bin/paster serve ${syncServerIni}"; serviceConfig.ExecStart = "${syncServerEnv}/bin/paster serve ${syncServerIni}";
}; };
users.extraUsers = optionalAttrs (cfg.user == "syncserver")
(singleton {
name = "syncserver";
group = cfg.group;
isSystemUser = true;
});
users.extraGroups = optionalAttrs (cfg.group == "syncserver")
(singleton {
name = "syncserver";
});
}; };
} }