firefox syncserver service: run as non-root user by default

2 files changed, 57 insertions, 3 deletions

diff --git a/nixos/doc/manual/release-notes/rl-1709.xml b/nixos/doc/manual/release-notes/rl-1709.xml
index a32f9963d1c5..90d7bd4b550b 100644
--- a/nixos/doc/manual/release-notes/rl-1709.xml
+++ b/nixos/doc/manual/release-notes/rl-1709.xml
@@ -154,6 +154,14 @@ rmdir /var/lib/ipfs/.ipfs
       variables as parameters.
     </para>
   </listitem>
+  <listitem>
+    <para>
+      <literal>services.firefox.syncserver</literal> now runs by default as a
+      non-root user. To accomodate this change, the default sqlite database
+      location has also been changed. Migration should work automatically.
+      Refer to the description of the options for more details.
+    </para>
+  </listitem>
 </itemizedlist>
 
 <para>Other notable improvements:</para>
diff --git a/nixos/modules/services/networking/firefox/sync-server.nix b/nixos/modules/services/networking/firefox/sync-server.nix
index c1a14931429a..a9f3fd65d76b 100644
--- a/nixos/modules/services/networking/firefox/sync-server.nix
+++ b/nixos/modules/services/networking/firefox/sync-server.nix
@@ -4,6 +4,10 @@ with lib;
 
 let
   cfg = config.services.firefox.syncserver;
+
+  defaultDbLocation = "/var/db/firefox-sync-server/firefox-sync-server.db";
+  defaultSqlUri = "sqlite:///${defaultDbLocation}";
+
   syncServerIni = pkgs.writeText "syncserver.ini" ''
     [DEFAULT]
     overrides = ${cfg.privateConfig}
@@ -25,6 +29,7 @@ let
     backend = tokenserver.verifiers.LocalVerifier
     audiences = ${removeSuffix "/" cfg.publicUrl}
   '';
+
 in
 
 {
@@ -65,6 +70,18 @@ in
         '';
       };
 
+      user = mkOption {
+        type = types.str;
+        default = "syncserver";
+        description = "User account under which syncserver runs.";
+      };
+
+      group = mkOption {
+        type = types.str;
+        default = "syncserver";
+        description = "Group account under which syncserver runs.";
+      };
+
       publicUrl = mkOption {
         type = types.str;
         default = "http://localhost:5000/";
@@ -85,7 +102,7 @@ in
 
       sqlUri = mkOption {
         type = types.str;
-        default = "sqlite:////var/db/firefox-sync-server.db";
+        default = defaultSqlUri;
         example = "postgresql://scott:tiger@localhost/test";
         description = ''
           The location of the database. This URL is composed of
@@ -126,16 +143,45 @@ in
       description = "Firefox Sync Server";
       wantedBy = [ "multi-user.target" ];
       path = [ pkgs.coreutils syncServerEnv ];
+
+      serviceConfig = {
+        User = cfg.user;
+        Group = cfg.group;
+        PermissionsStartOnly = true;
+      };
+
       preStart = ''
         if ! test -e ${cfg.privateConfig}; then
-          umask u=rwx,g=x,o=x
-          mkdir -p $(dirname ${cfg.privateConfig})
+          mkdir -m 700 -p $(dirname ${cfg.privateConfig})
           echo  > ${cfg.privateConfig} '[syncserver]'
           echo >> ${cfg.privateConfig} "secret = $(head -c 20 /dev/urandom | sha1sum | tr -d ' -')"
         fi
+        chown ${cfg.user}:${cfg.group} ${cfg.privateConfig}
+      '' + optionalString (cfg.sqlUri == defaultSqlUri) ''
+        if ! test -e $(dirname ${defaultDbLocation}); then
+          mkdir -m 700 -p $(dirname ${defaultDbLocation})
+          chown ${cfg.user}:${cfg.group} $(dirname ${defaultDbLocation})
+        fi
+        # Move previous database file if it exists
+        oldDb="/var/db/firefox-sync-server.db"
+        if test -f $oldDb; then
+          mv $oldDb ${defaultDbLocation}
+          chown ${cfg.user}:${cfg.group} ${defaultDbLocation}
+        fi
       '';
       serviceConfig.ExecStart = "${syncServerEnv}/bin/paster serve ${syncServerIni}";
     };
 
+    users.extraUsers = optionalAttrs (cfg.user == "syncserver")
+      (singleton {
+        name = "syncserver";
+        group = cfg.group;
+        isSystemUser = true;
+      });
+
+    users.extraGroups = optionalAttrs (cfg.group == "syncserver")
+      (singleton {
+        name = "syncserver";
+      });
   };
 }