Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make /var/empty immutable (with chattr +i) #18365

Merged
merged 2 commits into from
Sep 7, 2016
Merged

Make /var/empty immutable (with chattr +i) #18365

merged 2 commits into from
Sep 7, 2016

Conversation

domenkozar
Copy link
Member

See #18358 and #14910 what bugs these caused.

cc @edolstra

@mention-bot
Copy link

@domenkozar, thanks for your PR! By analyzing the annotation information on this pull request, we identified @edolstra, @nathan7 and @peti to be potential reviewers

@domenkozar domenkozar added this to the 16.09 milestone Sep 6, 2016
This was referenced Sep 6, 2016
Closed
Closed
@edolstra
Copy link
Member

edolstra commented Sep 6, 2016

No, don't make it a link to the Nix store! Paths in the Nix store can have group = nixbld, which will probably cause sshd to fail. Just do chattr +i /var/empty.

Also, /var/empty is not a GC root, which might cause problems.

@domenkozar
Copy link
Member Author

@edolstra updated

@domenkozar
Copy link
Member Author

Just a side note: lots of these mkdir -m commands claim to be idempotent, but they're really not since permissions are not reset if directory exists.

@groxxda
Copy link
Contributor

groxxda commented Sep 6, 2016

Could we use a tmpfs with size=0,mode=000?

@domenkozar
Copy link
Member Author

@groxxda what advantage would that have over chattr +i?

@groxxda
Copy link
Contributor

groxxda commented Sep 6, 2016

@domenkozar it's probably just me not being a fan of chattr 😉
only advantage I can think of is file-system support. But it's probably not relevant because nobody has /var on a tmpfs

btw: Does your patch work when run twice?

@domenkozar
Make /var/empty immutable
3877ec5 
Fixes #14910 and #18358

Deployed to an existing server, restarted sshd and polkit to verify
they don't fail.
@domenkozar
Copy link
Member Author

@groxxda it did, but I pushed a fix for rm: cannot remove '/var/empty': Operation not permitted

@grahamc grahamc changed the title Make /var/empty immutable (symlink to nix store) Make /var/empty immutable (with chattr +i) Sep 7, 2016
@grahamc
Copy link
Member

grahamc commented Sep 7, 2016

(Updated the title to reflect the solution)

@domenkozar
Copy link
Member Author

@edolstra any objections?

edolstra
edolstra reviewed Sep 7, 2016
View reviewed changes
nixos/modules/system/activation/activation-script.nix
@@ -137,8 +140,13 @@ in

mkdir -m 1777 -p /var/tmp

# Make sure it's really empty
chattr -i /var/empty
rm -rf /var/empty
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This introduces a race during activation where /var/empty doesn't exist. So for example, if it gets interrupted at that point, you won't be able to log in via ssh anymore.

@domenkozar
Copy link
Member Author

@edolstra fixed

@edolstra edolstra merged commit 70be99c into master Sep 7, 2016
@peti peti deleted the fix-sshd-failure branch September 7, 2016 11:39
@groxxda groxxda mentioned this pull request Sep 20, 2016
Closed
@domenkozar
Copy link
Member Author

@fpletz I've linked two issues in description of the PR for motivation what issues we fix.

I think it's safe to disable this for containers.

@domenkozar
Copy link
Member Author

@fpletz here needs to be added chattr -R -f -i: https://github.com/NixOS/nixpkgs/blob/master/pkgs/tools/virtualization/nixos-container/nixos-container.pl#L248

Any we probably should test if container deletion works in the tests.

@domenkozar
Copy link
Member Author

Ah it already is, but doesn't fail: http://hydra.nixos.org/build/40856595/log/raw

domenkozar added a commit that referenced this pull request Sep 30, 2016
@domenkozar
changelog for #18365
14c16f2
domenkozar added a commit that referenced this pull request Sep 30, 2016
@domenkozar
changelog for #18365
3781095 
(cherry picked from commit 14c16f2)
Signed-off-by: Domen Kožar <[email protected]>
@nathan-gs nathan-gs mentioned this pull request Oct 9, 2016
Closed
@nixos-discourse
Copy link

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/return-container-to-its-original-declared-state/14793/4

adrianpk added a commit to adrianpk/nixpkgs that referenced this pull request May 31, 2024
@adrianpk
changelog for NixOS#18365
151fe03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
8.has: changelog
Projects
None yet
Milestone
16.09
Development

Successfully merging this pull request may close these issues.
8 participants
@domenkozar @mention-bot @edolstra @groxxda @grahamc @nixos-discourse @fpletz @twhitehead