nixos/kubo: give normal users access to the daemon by default
Fixes https://github.com/NixOS/nixpkgs/issues/223289. This doesn't reduce the security in any way since it was already possible for normal users to do what I do here and create such a fake repo for themselves and set their $IPFS_PATH variable to it. It was and still is also possible to just use the --api CLI option. This change just removes the manual setup that would otherwise be required. We wouldn't need this workaround if https://github.com/ipfs/kubo/pull/9366 was merged but the fix seems to have been ignored upstream. Patching it ourselves seems like a bad idea since the patch has security implications.
This commit is contained in:
parent
409df93c01
commit
929a00bd84
@ -22,6 +22,18 @@ let
|
|||||||
|
|
||||||
configFile = settingsFormat.generate "kubo-config.json" customizedConfig;
|
configFile = settingsFormat.generate "kubo-config.json" customizedConfig;
|
||||||
|
|
||||||
|
# Create a fake repo containing only the file "api".
|
||||||
|
# $IPFS_PATH will point to this directory instead of the real one.
|
||||||
|
# For some reason the Kubo CLI tools insist on reading the
|
||||||
|
# config file when it exists. But the Kubo daemon sets the file
|
||||||
|
# permissions such that only the ipfs user is allowed to read
|
||||||
|
# this file. This prevents normal users from talking to the daemon.
|
||||||
|
# To work around this terrible design, create a fake repo with no
|
||||||
|
# config file, only an api file and everything should work as expected.
|
||||||
|
fakeKuboRepo = pkgs.writeTextDir "api" ''
|
||||||
|
/unix/run/ipfs.sock
|
||||||
|
'';
|
||||||
|
|
||||||
kuboFlags = utils.escapeSystemdExecArgs (
|
kuboFlags = utils.escapeSystemdExecArgs (
|
||||||
optional cfg.autoMount "--mount" ++
|
optional cfg.autoMount "--mount" ++
|
||||||
optional cfg.enableGC "--enable-gc" ++
|
optional cfg.enableGC "--enable-gc" ++
|
||||||
@ -248,7 +260,7 @@ in
|
|||||||
];
|
];
|
||||||
|
|
||||||
environment.systemPackages = [ cfg.package ];
|
environment.systemPackages = [ cfg.package ];
|
||||||
environment.variables.IPFS_PATH = cfg.dataDir;
|
environment.variables.IPFS_PATH = fakeKuboRepo;
|
||||||
|
|
||||||
# https://github.com/lucas-clemente/quic-go/wiki/UDP-Receive-Buffer-Size
|
# https://github.com/lucas-clemente/quic-go/wiki/UDP-Receive-Buffer-Size
|
||||||
boot.kernel.sysctl."net.core.rmem_max" = mkDefault 2500000;
|
boot.kernel.sysctl."net.core.rmem_max" = mkDefault 2500000;
|
||||||
|
@ -12,6 +12,9 @@
|
|||||||
settings.Addresses.API = "/ip4/127.0.0.1/tcp/2324";
|
settings.Addresses.API = "/ip4/127.0.0.1/tcp/2324";
|
||||||
dataDir = "/mnt/ipfs";
|
dataDir = "/mnt/ipfs";
|
||||||
};
|
};
|
||||||
|
users.users.alice = {
|
||||||
|
isNormalUser = true;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
nodes.fuse = { ... }: {
|
nodes.fuse = { ... }: {
|
||||||
@ -25,6 +28,14 @@
|
|||||||
testScript = ''
|
testScript = ''
|
||||||
start_all()
|
start_all()
|
||||||
|
|
||||||
|
with subtest("Automatic socket activation"):
|
||||||
|
ipfs_hash = machine.succeed(
|
||||||
|
"echo fnord0 | su alice -l -c 'ipfs add --quieter'"
|
||||||
|
)
|
||||||
|
machine.succeed(f"ipfs cat /ipfs/{ipfs_hash.strip()} | grep fnord0")
|
||||||
|
|
||||||
|
machine.stop_job("ipfs")
|
||||||
|
|
||||||
with subtest("IPv4 socket activation"):
|
with subtest("IPv4 socket activation"):
|
||||||
machine.succeed("ipfs --api /ip4/127.0.0.1/tcp/2324 id")
|
machine.succeed("ipfs --api /ip4/127.0.0.1/tcp/2324 id")
|
||||||
ipfs_hash = machine.succeed(
|
ipfs_hash = machine.succeed(
|
||||||
@ -51,7 +62,7 @@
|
|||||||
# See https://github.com/ipfs/kubo/issues/9044.
|
# See https://github.com/ipfs/kubo/issues/9044.
|
||||||
# Workaround: using CID Version 1 avoids that.
|
# Workaround: using CID Version 1 avoids that.
|
||||||
ipfs_hash = fuse.succeed(
|
ipfs_hash = fuse.succeed(
|
||||||
"echo fnord3 | ipfs --api /ip4/127.0.0.1/tcp/2324 add --quieter --cid-version=1"
|
"echo fnord3 | ipfs add --quieter --cid-version=1"
|
||||||
).strip()
|
).strip()
|
||||||
|
|
||||||
fuse.succeed(f"cat /ipfs/{ipfs_hash} | grep fnord3")
|
fuse.succeed(f"cat /ipfs/{ipfs_hash} | grep fnord3")
|
||||||
|
Loading…
Reference in New Issue
Block a user