commit 42eebd7adef51b36c597753b3aaf6347864d176e

pyrox.dev / nixpkgs

lol

fork atom

Merge pull request #96844 from peterhoeg/m/nfs

nixos/nfsd: run rpc-statd as a normal user

authored by

Peter Hoeg and committed by

GitHub 5 years ago 42eebd7a b169bfc9

+32 -33

2 changed files

expand all

unified split

nixos

modules

services

network-filesystems

nfsd.nix

tasks

filesystems

nfs.nix

+31 -25

nixos/modules/services/network-filesystems/nfsd.nix

··· 8 8 9 9 exports = pkgs.writeText "exports" cfg.exports; 10 10 11 + rpcUser = "statd"; 12 + 11 13 in 12 14 13 15 { ··· 140 142 141 143 environment.etc.exports.source = exports; 142 144 143 - systemd.services.nfs-server = 144 - { enable = true; 145 - wantedBy = [ "multi-user.target" ]; 145 + systemd.services.nfs-server = { 146 + enable = true; 147 + wantedBy = [ "multi-user.target" ]; 148 + }; 146 149 147 - preStart = 148 - '' 149 - mkdir -p /var/lib/nfs/v4recovery 150 - ''; 151 - }; 150 + systemd.services.nfs-mountd = { 151 + enable = true; 152 + restartTriggers = [ exports ]; 152 153 153 - systemd.services.nfs-mountd = 154 - { enable = true; 155 - restartTriggers = [ exports ]; 154 + preStart = optionalString cfg.createMountPoints '' 155 + # create export directories: 156 + # skip comments, take first col which may either be a quoted 157 + # "foo bar" or just foo (-> man export) 158 + sed '/^#.*/d;s/^"$[^"]*$".*/\1/;t;s/[ ].*//' ${exports} \ 159 + | xargs -d '\n' mkdir -p 160 + ''; 161 + }; 156 162 157 - preStart = 158 - '' 159 - mkdir -p /var/lib/nfs 163 + # rpc-statd will drop privileges by changing user from root to the owner of 164 + # /var/lib/nfs 165 + systemd.tmpfiles.rules = [ 166 + "d /var/lib/nfs 0700 ${rpcUser} ${rpcUser} - -" 167 + ] ++ map (e: 168 + "d /var/lib/nfs/${e} 0755 root root - -" 169 + ) [ "recovery" "v4recovery" "sm" "sm.bak" ]; 160 170 161 - ${optionalString cfg.createMountPoints 162 - '' 163 - # create export directories: 164 - # skip comments, take first col which may either be a quoted 165 - # "foo bar" or just foo (-> man export) 166 - sed '/^#.*/d;s/^"$[^"]*$".*/\1/;t;s/[ ].*//' ${exports} \ 167 - | xargs -d '\n' mkdir -p 168 - '' 169 - } 170 - ''; 171 + users = { 172 + groups."${rpcUser}" = {}; 173 + users."${rpcUser}" = { 174 + description = "NFS RPC user"; 175 + group = rpcUser; 176 + isSystemUser = true; 171 177 }; 172 - 178 + }; 173 179 }; 174 180 175 181 }

+1 -8

nixos/modules/tasks/filesystems/nfs.nix

··· 101 101 }; 102 102 103 103 systemd.services.rpc-statd = 104 - { restartTriggers = [ nfsConfFile ]; 105 - 106 - preStart = 107 - '' 108 - mkdir -p /var/lib/nfs/{sm,sm.bak} 109 - ''; 110 - }; 111 - 104 + { restartTriggers = [ nfsConfFile ]; }; 112 105 }; 113 106 }