From d6264419f5c2ea3601f65f607f5ea8b187548bc7 Mon Sep 17 00:00:00 2001
From: Peter Hoeg <peter@hoeg.com>
Date: Tue, 1 Sep 2020 00:01:30 +0800
Subject: [PATCH] nixos/nfsd: run rpc-statd as a normal user

---
 .../services/network-filesystems/nfsd.nix     | 62 ++++++++++---------
 nixos/modules/tasks/filesystems/nfs.nix       |  9 +--
 2 files changed, 35 insertions(+), 36 deletions(-)

diff --git a/nixos/modules/services/network-filesystems/nfsd.nix b/nixos/modules/services/network-filesystems/nfsd.nix
index 1b62bfa82035..398ef73449fa 100644
--- a/nixos/modules/services/network-filesystems/nfsd.nix
+++ b/nixos/modules/services/network-filesystems/nfsd.nix
@@ -8,6 +8,8 @@ let
 
   exports = pkgs.writeText "exports" cfg.exports;
 
+  rpcUser = "statd";
+
 in
 
 {
@@ -140,36 +142,40 @@ in
 
     environment.etc.exports.source = exports;
 
-    systemd.services.nfs-server =
-      { enable = true;
-        wantedBy = [ "multi-user.target" ];
+    systemd.services.nfs-server = {
+      enable = true;
+      wantedBy = [ "multi-user.target" ];
+    };
 
-        preStart =
-          ''
-            mkdir -p /var/lib/nfs/v4recovery
-          '';
+    systemd.services.nfs-mountd = {
+      enable = true;
+      restartTriggers = [ exports ];
+
+      preStart = optionalString cfg.createMountPoints ''
+        # create export directories:
+        # skip comments, take first col which may either be a quoted
+        # "foo bar" or just foo (-> man export)
+        sed '/^#.*/d;s/^"\([^"]*\)".*/\1/;t;s/[ ].*//' ${exports} \
+        | xargs -d '\n' mkdir -p
+      '';
+    };
+
+    # rpc-statd will drop privileges by changing user from root to the owner of
+    # /var/lib/nfs
+    systemd.tmpfiles.rules = [
+      "d /var/lib/nfs 0700 ${rpcUser} ${rpcUser} - -"
+    ] ++ map (e:
+      "d /var/lib/nfs/${e} 0755 root root - -"
+    ) [ "recovery" "v4recovery" "sm" "sm.bak" ];
+
+    users = {
+      groups."${rpcUser}" = {};
+      users."${rpcUser}" = {
+        description = "NFS RPC user";
+        group = rpcUser;
+        isSystemUser = true;
       };
-
-    systemd.services.nfs-mountd =
-      { enable = true;
-        restartTriggers = [ exports ];
-
-        preStart =
-          ''
-            mkdir -p /var/lib/nfs
-
-            ${optionalString cfg.createMountPoints
-              ''
-                # create export directories:
-                # skip comments, take first col which may either be a quoted
-                # "foo bar" or just foo (-> man export)
-                sed '/^#.*/d;s/^"\([^"]*\)".*/\1/;t;s/[ ].*//' ${exports} \
-                | xargs -d '\n' mkdir -p
-              ''
-            }
-          '';
-      };
-
+    };
   };
 
 }
diff --git a/nixos/modules/tasks/filesystems/nfs.nix b/nixos/modules/tasks/filesystems/nfs.nix
index ddcc0ed8f5a4..67e5aa0bd58f 100644
--- a/nixos/modules/tasks/filesystems/nfs.nix
+++ b/nixos/modules/tasks/filesystems/nfs.nix
@@ -101,13 +101,6 @@ in
       };
 
     systemd.services.rpc-statd =
-      { restartTriggers = [ nfsConfFile ];
-
-        preStart =
-          ''
-            mkdir -p /var/lib/nfs/{sm,sm.bak}
-          '';
-      };
-
+      { restartTriggers = [ nfsConfFile ]; };
   };
 }