diff options
author | Peter Hoeg <peter@hoeg.com> | 2020-09-09 09:10:46 +0800 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-09-09 09:10:46 +0800 |
commit | 42eebd7adef51b36c597753b3aaf6347864d176e (patch) | |
tree | b7d91cbfdbbdce706ea74e8f0a055648d2865ded /nixos | |
parent | b169bfc9e2c981a46680c53343258d90be6f6d9f (diff) | |
parent | d6264419f5c2ea3601f65f607f5ea8b187548bc7 (diff) | |
download | nixlib-42eebd7adef51b36c597753b3aaf6347864d176e.tar nixlib-42eebd7adef51b36c597753b3aaf6347864d176e.tar.gz nixlib-42eebd7adef51b36c597753b3aaf6347864d176e.tar.bz2 nixlib-42eebd7adef51b36c597753b3aaf6347864d176e.tar.lz nixlib-42eebd7adef51b36c597753b3aaf6347864d176e.tar.xz nixlib-42eebd7adef51b36c597753b3aaf6347864d176e.tar.zst nixlib-42eebd7adef51b36c597753b3aaf6347864d176e.zip |
Merge pull request #96844 from peterhoeg/m/nfs
nixos/nfsd: run rpc-statd as a normal user
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/services/network-filesystems/nfsd.nix | 60 | ||||
-rw-r--r-- | nixos/modules/tasks/filesystems/nfs.nix | 9 |
2 files changed, 34 insertions, 35 deletions
diff --git a/nixos/modules/services/network-filesystems/nfsd.nix b/nixos/modules/services/network-filesystems/nfsd.nix index 1b62bfa82035..398ef73449fa 100644 --- a/nixos/modules/services/network-filesystems/nfsd.nix +++ b/nixos/modules/services/network-filesystems/nfsd.nix @@ -8,6 +8,8 @@ let exports = pkgs.writeText "exports" cfg.exports; + rpcUser = "statd"; + in { @@ -140,36 +142,40 @@ in environment.etc.exports.source = exports; - systemd.services.nfs-server = - { enable = true; - wantedBy = [ "multi-user.target" ]; + systemd.services.nfs-server = { + enable = true; + wantedBy = [ "multi-user.target" ]; + }; - preStart = - '' - mkdir -p /var/lib/nfs/v4recovery - ''; - }; + systemd.services.nfs-mountd = { + enable = true; + restartTriggers = [ exports ]; + + preStart = optionalString cfg.createMountPoints '' + # create export directories: + # skip comments, take first col which may either be a quoted + # "foo bar" or just foo (-> man export) + sed '/^#.*/d;s/^"\([^"]*\)".*/\1/;t;s/[ ].*//' ${exports} \ + | xargs -d '\n' mkdir -p + ''; + }; - systemd.services.nfs-mountd = - { enable = true; - restartTriggers = [ exports ]; - - preStart = - '' - mkdir -p /var/lib/nfs - - ${optionalString cfg.createMountPoints - '' - # create export directories: - # skip comments, take first col which may either be a quoted - # "foo bar" or just foo (-> man export) - sed '/^#.*/d;s/^"\([^"]*\)".*/\1/;t;s/[ ].*//' ${exports} \ - | xargs -d '\n' mkdir -p - '' - } - ''; + # rpc-statd will drop privileges by changing user from root to the owner of + # /var/lib/nfs + systemd.tmpfiles.rules = [ + "d /var/lib/nfs 0700 ${rpcUser} ${rpcUser} - -" + ] ++ map (e: + "d /var/lib/nfs/${e} 0755 root root - -" + ) [ "recovery" "v4recovery" "sm" "sm.bak" ]; + + users = { + groups."${rpcUser}" = {}; + users."${rpcUser}" = { + description = "NFS RPC user"; + group = rpcUser; + isSystemUser = true; }; - + }; }; } diff --git a/nixos/modules/tasks/filesystems/nfs.nix b/nixos/modules/tasks/filesystems/nfs.nix index ddcc0ed8f5a4..67e5aa0bd58f 100644 --- a/nixos/modules/tasks/filesystems/nfs.nix +++ b/nixos/modules/tasks/filesystems/nfs.nix @@ -101,13 +101,6 @@ in }; systemd.services.rpc-statd = - { restartTriggers = [ nfsConfFile ]; - - preStart = - '' - mkdir -p /var/lib/nfs/{sm,sm.bak} - ''; - }; - + { restartTriggers = [ nfsConfFile ]; }; }; } |