From 929a00bd84acbf35447d3df1066b1c8afd7ac82d Mon Sep 17 00:00:00 2001 From: Luflosi Date: Fri, 14 Apr 2023 02:26:32 +0200 Subject: [PATCH] nixos/kubo: give normal users access to the daemon by default Fixes https://github.com/NixOS/nixpkgs/issues/223289. This doesn't reduce the security in any way since it was already possible for normal users to do what I do here and create such a fake repo for themselves and set their $IPFS_PATH variable to it. It was and still is also possible to just use the --api CLI option. This change just removes the manual setup that would otherwise be required. We wouldn't need this workaround if https://github.com/ipfs/kubo/pull/9366 was merged but the fix seems to have been ignored upstream. Patching it ourselves seems like a bad idea since the patch has security implications. --- .../modules/services/network-filesystems/kubo.nix | 14 +++++++++++++- nixos/tests/kubo.nix | 13 ++++++++++++- 2 files changed, 25 insertions(+), 2 deletions(-) diff --git a/nixos/modules/services/network-filesystems/kubo.nix b/nixos/modules/services/network-filesystems/kubo.nix index 468e47d749b7..716be4fd59a9 100644 --- a/nixos/modules/services/network-filesystems/kubo.nix +++ b/nixos/modules/services/network-filesystems/kubo.nix @@ -22,6 +22,18 @@ let configFile = settingsFormat.generate "kubo-config.json" customizedConfig; + # Create a fake repo containing only the file "api". + # $IPFS_PATH will point to this directory instead of the real one. + # For some reason the Kubo CLI tools insist on reading the + # config file when it exists. But the Kubo daemon sets the file + # permissions such that only the ipfs user is allowed to read + # this file. This prevents normal users from talking to the daemon. + # To work around this terrible design, create a fake repo with no + # config file, only an api file and everything should work as expected. + fakeKuboRepo = pkgs.writeTextDir "api" '' + /unix/run/ipfs.sock + ''; + kuboFlags = utils.escapeSystemdExecArgs ( optional cfg.autoMount "--mount" ++ optional cfg.enableGC "--enable-gc" ++ @@ -248,7 +260,7 @@ in ]; environment.systemPackages = [ cfg.package ]; - environment.variables.IPFS_PATH = cfg.dataDir; + environment.variables.IPFS_PATH = fakeKuboRepo; # https://github.com/lucas-clemente/quic-go/wiki/UDP-Receive-Buffer-Size boot.kernel.sysctl."net.core.rmem_max" = mkDefault 2500000; diff --git a/nixos/tests/kubo.nix b/nixos/tests/kubo.nix index e0bd918150ac..dfe653b5d271 100644 --- a/nixos/tests/kubo.nix +++ b/nixos/tests/kubo.nix @@ -12,6 +12,9 @@ settings.Addresses.API = "/ip4/127.0.0.1/tcp/2324"; dataDir = "/mnt/ipfs"; }; + users.users.alice = { + isNormalUser = true; + }; }; nodes.fuse = { ... }: { @@ -25,6 +28,14 @@ testScript = '' start_all() + with subtest("Automatic socket activation"): + ipfs_hash = machine.succeed( + "echo fnord0 | su alice -l -c 'ipfs add --quieter'" + ) + machine.succeed(f"ipfs cat /ipfs/{ipfs_hash.strip()} | grep fnord0") + + machine.stop_job("ipfs") + with subtest("IPv4 socket activation"): machine.succeed("ipfs --api /ip4/127.0.0.1/tcp/2324 id") ipfs_hash = machine.succeed( @@ -51,7 +62,7 @@ # See https://github.com/ipfs/kubo/issues/9044. # Workaround: using CID Version 1 avoids that. ipfs_hash = fuse.succeed( - "echo fnord3 | ipfs --api /ip4/127.0.0.1/tcp/2324 add --quieter --cid-version=1" + "echo fnord3 | ipfs add --quieter --cid-version=1" ).strip() fuse.succeed(f"cat /ipfs/{ipfs_hash} | grep fnord3")