Skip to content

dhcpcd: fix more permissions errors#351225

Merged
rnhmjoj merged 2 commits intoNixOS:masterfrom
rnhmjoj:pr-dhcpcd-fix
Oct 26, 2024
Merged

dhcpcd: fix more permissions errors#351225
rnhmjoj merged 2 commits intoNixOS:masterfrom
rnhmjoj:pr-dhcpcd-fix

Conversation

@rnhmjoj
Copy link
Contributor

@rnhmjoj rnhmjoj commented Oct 25, 2024

Fixes for a couple more issues reported in #336988.

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested via
    • dhcpcd.tests
    • nixosTests.simple
    • nixosTests.networking.scripted
    • nixosTests.networking.networkd
  • 24.11 Release Notes (or backporting 23.11 and 24.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

Add a 👍 reaction to pull requests you find important.

@github-actions github-actions bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` labels Oct 25, 2024
@rnhmjoj rnhmjoj mentioned this pull request Oct 25, 2024
Merged
5 tasks
@corngood
Copy link
Contributor

corngood commented Oct 25, 2024

Do we need to worry about ACLs being available on the filesystem? I only see one existing call to setfacl in nixos/.

@rnhmjoj
Copy link
Contributor Author

rnhmjoj commented Oct 25, 2024

Do we need to worry about ACLs being available on the filesystem? I only see one existing call to setfacl in nixos/.

I think that every fs under the sun has them in 2024. That said, if we wanted to be really careful, I could use chgrp+chmod for the files in /etc and the ACLs only on /run/resolvconf. This is guaranteed to be on tmpfs, which does support them.

@corngood
Copy link
Contributor

corngood commented Oct 25, 2024

That said, if we wanted to be really careful, I could use chgrp+chmod for the files in /etc and the ACLs only on /run/resolvconf. This is guaranteed to be on tmpfs, which does support them.

I think if it can be done robustly with basic permissions, there's an argument for using them: ease of inspection with ls, compatibility with tar, etc.

Using it on /run/ seems fine.

@ofborg ofborg bot added 10.rebuild-darwin: 1-10 This PR causes between 1 and 10 packages to rebuild on Darwin. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. labels Oct 25, 2024
@rnhmjoj
resolvconf: reliably set group permissions
8fafc35 
If `resolvconf` is invoked by a process not running with the resolvconf
group as primary group, other processes will run into trouble as files
or directories under /run/resolvconf won't have write permissions.

This ACL rule ensure that resolvconf files, include new files created by
any process, are always accessible by users of the resolvconf group.
@rnhmjoj
dhcpcd: fix permissions error with secondary IPv4 addresses
483e446 
If dhcpcd receives a secondary IPv4 address from the DHCP server it
tries to enable automatic promotion from secondary to primary by writing
`1` to /proc/sys/net/ipv4/conf/%s/promote_secondaries.
@rnhmjoj
Copy link
Contributor Author

rnhmjoj commented Oct 25, 2024

Done.

@rnhmjoj rnhmjoj merged commit 9a415c2 into NixOS:master Oct 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@corngood corngood corngood approved these changes

Assignees

No one assigned

Labels

6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 1-10 This PR causes between 1 and 10 packages to rebuild on Darwin. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rnhmjoj @corngood