diff options
author | Florian Klink <flokli@flokli.de> | 2019-10-18 14:05:53 +0200 |
---|---|---|
committer | Florian Klink <flokli@flokli.de> | 2019-10-20 16:37:41 +0200 |
commit | ca6c91e395763b3083b2cca40f733e66696d2506 (patch) | |
tree | 435e2dfa4269d86b24d63d390f41cfced75a8c59 /nixos | |
parent | f702ae151685e0b29f73e71dfbf8fcdcb7d903b0 (diff) | |
download | nixlib-ca6c91e395763b3083b2cca40f733e66696d2506.tar nixlib-ca6c91e395763b3083b2cca40f733e66696d2506.tar.gz nixlib-ca6c91e395763b3083b2cca40f733e66696d2506.tar.bz2 nixlib-ca6c91e395763b3083b2cca40f733e66696d2506.tar.lz nixlib-ca6c91e395763b3083b2cca40f733e66696d2506.tar.xz nixlib-ca6c91e395763b3083b2cca40f733e66696d2506.tar.zst nixlib-ca6c91e395763b3083b2cca40f733e66696d2506.zip |
nixos/networkmanager: remove networking.networkmanager.dynamicHosts
This option was removed because allowing (multiple) regular users to override host entries affecting the whole system opens up a huge attack vector. There seem to be very rare cases where this might be useful. Consider setting system-wide host entries using networking.hosts, provide them via the DNS server in your network, or use networking.networkmanager.appendNameservers to point your system to another (local) nameserver to set those entries.
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/doc/manual/release-notes/rl-2003.xml | 14 | ||||
-rw-r--r-- | nixos/modules/services/networking/networkmanager.nix | 87 |
2 files changed, 24 insertions, 77 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2003.xml b/nixos/doc/manual/release-notes/rl-2003.xml index ab0951e831ce..33eba8002bab 100644 --- a/nixos/doc/manual/release-notes/rl-2003.xml +++ b/nixos/doc/manual/release-notes/rl-2003.xml @@ -85,7 +85,19 @@ <itemizedlist> <listitem> - <para /> + <para> + The <literal>dynamicHosts</literal> option has been removed from the + <link linkend="opt-networking.networkmanager.enable">networkd</link> + module. Allowing (multiple) regular users to override host entries + affecting the whole system opens up a huge attack vector. + There seem to be very rare cases where this might be useful. + Consider setting system-wide host entries using + <link linkend="opt-networking.hosts">networking.hosts</link>, provide + them via the DNS server in your network, or use + <link linkend="opt-environment.etc">environment.etc</link> + to add a file into <literal>/etc/NetworkManager/dnsmasq.d</literal> + reconfiguring <literal>hostsdir</literal>. + </para> </listitem> </itemizedlist> </section> diff --git a/nixos/modules/services/networking/networkmanager.nix b/nixos/modules/services/networking/networkmanager.nix index 3f1d0727d9bc..870a7264d268 100644 --- a/nixos/modules/services/networking/networkmanager.nix +++ b/nixos/modules/services/networking/networkmanager.nix @@ -17,9 +17,6 @@ let networkmanager-vpnc ] ++ optional (!delegateWireless && !enableIwd) wpa_supplicant; - dynamicHostsEnabled = - cfg.dynamicHosts.enable && cfg.dynamicHosts.hostsDirs != {}; - delegateWireless = config.networking.wireless.enable == true && cfg.unmanaged != []; enableIwd = cfg.wifi.backend == "iwd"; @@ -338,55 +335,20 @@ in { so you don't need to to that yourself. ''; }; - - dynamicHosts = { - enable = mkOption { - type = types.bool; - default = false; - description = '' - Enabling this option requires the - <option>networking.networkmanager.dns</option> option to be - set to <literal>dnsmasq</literal>. If enabled, the directories - defined by the - <option>networking.networkmanager.dynamicHosts.hostsDirs</option> - option will be set up when the service starts. The dnsmasq instance - managed by NetworkManager will then watch those directories for - hosts files (see the <literal>--hostsdir</literal> option of - dnsmasq). This way a non-privileged user can add or override DNS - entries on the local system (depending on what hosts directories - that are configured).. - ''; - }; - hostsDirs = mkOption { - type = with types; attrsOf (submodule { - options = { - user = mkOption { - type = types.str; - default = "root"; - description = '' - The user that will own the hosts directory. - ''; - }; - group = mkOption { - type = types.str; - default = "root"; - description = '' - The group that will own the hosts directory. - ''; - }; - }; - }); - default = {}; - description = '' - Defines a set of directories (relative to - <literal>/run/NetworkManager/hostdirs</literal>) that dnsmasq will - watch for hosts files. - ''; - }; - }; }; }; + imports = [ + (mkRemovedOptionModule ["networking" "networkmanager" "dynamicHosts"] '' + This option was removed because allowing (multiple) regular users to + override host entries affecting the whole system opens up a huge attack + vector. There seem to be very rare cases where this might be useful. + Consider setting system-wide host entries using networking.hosts, provide + them via the DNS server in your network, or use environment.etc + to add a file into /etc/NetworkManager/dnsmasq.d reconfiguring hostsdir. + '') + ]; + ###### implementation @@ -399,12 +361,6 @@ in { Except if you mark some interfaces as <literal>unmanaged</literal> by NetworkManager. ''; } - { assertion = !dynamicHostsEnabled || (dynamicHostsEnabled && cfg.dns == "dnsmasq"); - message = '' - To use networking.networkmanager.dynamicHosts you also need to set - `networking.networkmanager.dns = "dnsmasq"` - ''; - } ]; environment.etc = with pkgs; [ @@ -438,12 +394,6 @@ in { target = "NetworkManager/dispatcher.d/${dispatcherTypesSubdirMap.${s.type}}03userscript${lib.fixedWidthNumber 4 i}"; mode = "0544"; }) cfg.dispatcherScripts - ++ optional dynamicHostsEnabled - { target = "NetworkManager/dnsmasq.d/dyndns.conf"; - text = concatMapStrings (n: '' - hostsdir=/run/NetworkManager/hostsdirs/${n} - '') (attrNames cfg.dynamicHosts.hostsDirs); - } ++ optional cfg.enableStrongSwan { source = "${pkgs.networkmanager_strongswan}/lib/NetworkManager/VPN/nm-strongswan-service.name"; target = "NetworkManager/VPN/nm-strongswan-service.name"; @@ -491,21 +441,6 @@ in { systemd.services.ModemManager.aliases = [ "dbus-org.freedesktop.ModemManager1.service" ]; - systemd.services.nm-setup-hostsdirs = mkIf dynamicHostsEnabled { - wantedBy = [ "NetworkManager.service" ]; - before = [ "NetworkManager.service" ]; - partOf = [ "NetworkManager.service" ]; - script = concatStrings (mapAttrsToList (n: d: '' - mkdir -p "/run/NetworkManager/hostsdirs/${n}" - chown "${d.user}:${d.group}" "/run/NetworkManager/hostsdirs/${n}" - chmod 0775 "/run/NetworkManager/hostsdirs/${n}" - '') cfg.dynamicHosts.hostsDirs); - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - }; - }; - systemd.services.NetworkManager-dispatcher = { wantedBy = [ "network.target" ]; restartTriggers = [ configFile ]; |