diff options
| author | Florian Klink <flokli@flokli.de> | 2020-08-16 12:23:12 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-08-16 12:23:12 +0200 |
| commit | 609eb86db707c836564d42c88f531bb774db64a9 (patch) | |
| tree | becde95a1079fc06d33e642218e967f6379f7992 /nixos | |
| parent | d4203693549d20d062db253b087780df93ac66c5 (diff) | |
| parent | 2519e54befed7bb3fdec8c8be69acbb9f0a2dd7d (diff) | |
Merge pull request #95444 from doronbehar/fix/mount+s
nixos/wrappers: make mount have the +s bit.
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/modules/security/wrappers/default.nix | 3 | ||||
| -rw-r--r-- | nixos/tests/misc.nix | 32 |
2 files changed, 35 insertions, 0 deletions
diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix index a0fadb018eca..2def74f85353 100644 --- a/nixos/modules/security/wrappers/default.nix +++ b/nixos/modules/security/wrappers/default.nix @@ -160,8 +160,11 @@ in config = { security.wrappers = { + # These are mount related wrappers that require the +s permission. fusermount.source = "${pkgs.fuse}/bin/fusermount"; fusermount3.source = "${pkgs.fuse3}/bin/fusermount3"; + mount.source = "${lib.getBin pkgs.utillinux}/bin/mount"; + umount.source = "${lib.getBin pkgs.utillinux}/bin/umount"; }; boot.specialFileSystems.${parentWrapperDir} = { diff --git a/nixos/tests/misc.nix b/nixos/tests/misc.nix index 17260ce64067..ae1505532734 100644 --- a/nixos/tests/misc.nix +++ b/nixos/tests/misc.nix @@ -20,12 +20,24 @@ import ./make-test-python.nix ({ pkgs, ...} : rec { { fsType = "tmpfs"; options = [ "mode=1777" "noauto" ]; }; + # Tests https://discourse.nixos.org/t/how-to-make-a-derivations-executables-have-the-s-permission/8555 + "/user-mount/point" = { + device = "/user-mount/source"; + fsType = "none"; + options = [ "bind" "rw" "user" "noauto" ]; + }; + "/user-mount/denied-point" = { + device = "/user-mount/denied-source"; + fsType = "none"; + options = [ "bind" "rw" "noauto" ]; + }; }; systemd.automounts = singleton { wantedBy = [ "multi-user.target" ]; where = "/tmp2"; }; users.users.sybil = { isNormalUser = true; group = "wheel"; }; + users.users.alice = { isNormalUser = true; }; security.sudo = { enable = true; wheelNeedsPassword = false; }; boot.kernel.sysctl."vm.swappiness" = 1; boot.kernelParams = [ "vsyscall=emulate" ]; @@ -112,6 +124,26 @@ import ./make-test-python.nix ({ pkgs, ...} : rec { machine.succeed("touch /tmp2/x") machine.succeed("grep '/tmp2 tmpfs' /proc/mounts") + with subtest( + "Whether mounting by a user is possible with the `user` option in fstab (#95444)" + ): + machine.succeed("mkdir -p /user-mount/source") + machine.succeed("touch /user-mount/source/file") + machine.succeed("chmod -R a+Xr /user-mount/source") + machine.succeed("mkdir /user-mount/point") + machine.succeed("chown alice:users /user-mount/point") + machine.succeed("su - alice -c 'mount /user-mount/point'") + machine.succeed("su - alice -c 'ls /user-mount/point/file'") + with subtest( + "Whether mounting by a user is denied without the `user` option in fstab" + ): + machine.succeed("mkdir -p /user-mount/denied-source") + machine.succeed("touch /user-mount/denied-source/file") + machine.succeed("chmod -R a+Xr /user-mount/denied-source") + machine.succeed("mkdir /user-mount/denied-point") + machine.succeed("chown alice:users /user-mount/denied-point") + machine.fail("su - alice -c 'mount /user-mount/denied-point'") + with subtest("shell-vars"): machine.succeed('[ -n "$NIX_PATH" ]') |