Fix the extendable xinetd service for unprivileged users and sysvinit deployments
This commit is contained in:
parent
513e3b226a
commit
4ca919bced
|
@ -194,7 +194,7 @@ in
|
|||
};
|
||||
|
||||
extendableXinetd = import ./xinetd/extendable.nix {
|
||||
inherit createManagedProcess runtimeDir tmpDir libDir forceDisableUserChange;
|
||||
inherit (pkgs) xinetd writeTextFile;
|
||||
inherit createManagedProcess runtimeDir tmpDir libDir forceDisableUserChange callingUser;
|
||||
inherit (pkgs) lib xinetd writeTextFile;
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,14 +1,11 @@
|
|||
{createManagedProcess, xinetd, runtimeDir, tmpDir, forceDisableUserChange}:
|
||||
{instanceSuffix ? "", instanceName ? "xinetd${instanceSuffix}", configFile}:
|
||||
{instanceSuffix ? "", instanceName ? "xinetd${instanceSuffix}", initialize ? "", configFile}:
|
||||
|
||||
let
|
||||
pidFile = if forceDisableUserChange then "${tmpDir}/${instanceName}.pid" else "${runtimeDir}/${instanceName}.pid";
|
||||
in
|
||||
createManagedProcess {
|
||||
inherit instanceName;
|
||||
inherit instanceName initialize;
|
||||
process = "${xinetd}/bin/xinetd";
|
||||
|
||||
args = [ "-f" configFile "-pidfile" pidFile ];
|
||||
args = [ "-f" configFile "-pidfile" "${runtimeDir}/${instanceName}.pid" ];
|
||||
foregroundProcessExtraArgs = [ "-dontfork" ];
|
||||
|
||||
overrides = {
|
||||
|
|
|
@ -1,20 +1,48 @@
|
|||
{createManagedProcess, xinetd, runtimeDir, tmpDir, libDir, forceDisableUserChange, writeTextFile}:
|
||||
{createManagedProcess, lib, xinetd, writeTextFile, runtimeDir, tmpDir, libDir, forceDisableUserChange, callingUser}:
|
||||
|
||||
{ instanceSuffix ? ""
|
||||
, instanceName ? "xinetd${instanceSuffix}"
|
||||
, services ? {}
|
||||
, extraConfig ? ""
|
||||
# If there are no services, then xinetd refuses to launch. An echo service prevents this from happening so that we can initially bootstrap it
|
||||
, includeEchoService ? true
|
||||
, echoPort ? 1024
|
||||
}:
|
||||
|
||||
let
|
||||
xinetdIncludeDir = "${libDir}/${instanceName}/xinetd.d";
|
||||
in
|
||||
import ./default.nix {
|
||||
inherit createManagedProcess xinetd runtimeDir tmpDir forceDisableUserChange;
|
||||
} {
|
||||
inherit instanceSuffix instanceName;
|
||||
|
||||
initialize = ''
|
||||
mkdir -p ${xinetdIncludeDir}
|
||||
''
|
||||
+ lib.optionalString includeEchoService ''
|
||||
cat > ${xinetdIncludeDir}/echo <<EOF
|
||||
service echo
|
||||
{
|
||||
socket_type = dgram
|
||||
protocol = udp
|
||||
bind = 127.0.0.1
|
||||
wait = yes
|
||||
user = ${if forceDisableUserChange then callingUser else "nobody"}
|
||||
type = INTERNAL${lib.optionalString forceDisableUserChange " UNLISTED"}
|
||||
''
|
||||
+ lib.optionalString forceDisableUserChange ''
|
||||
port = ${toString echoPort}
|
||||
''
|
||||
+ ''
|
||||
}
|
||||
EOF
|
||||
'';
|
||||
|
||||
configFile = writeTextFile {
|
||||
name = "xinetd.conf";
|
||||
text = ''
|
||||
includedir ${libDir}/${instanceName}/xinetd.d
|
||||
includedir ${xinetdIncludeDir}
|
||||
''
|
||||
+ extraConfig;
|
||||
};
|
||||
|
|
|
@ -30,7 +30,6 @@ testService {
|
|||
};
|
||||
in
|
||||
''
|
||||
machine.succeed("mkdir -p ${stateDir}/lib/${instanceName}/xinetd.d")
|
||||
machine.succeed(
|
||||
"cp ${tftpService} ${stateDir}/lib/${instanceName}/xinetd.d"
|
||||
)
|
||||
|
@ -66,7 +65,6 @@ testService {
|
|||
};
|
||||
in
|
||||
''
|
||||
machine.succeed("mkdir -p ${stateDir}/lib/${instanceName}/xinetd.d")
|
||||
machine.succeed(
|
||||
"cp ${telnetService} ${stateDir}/lib/${instanceName}/xinetd.d"
|
||||
)
|
||||
|
|
|
@ -8,13 +8,14 @@
|
|||
, libDir ? "${stateDir}/lib"
|
||||
, tmpDir ? (if stateDir == "/var" then "/tmp" else "${stateDir}/tmp")
|
||||
, forceDisableUserChange ? false
|
||||
, callingUser ? null
|
||||
, processManager
|
||||
, nix-processmgmt ? ../../../../nix-processmgmt
|
||||
}:
|
||||
|
||||
let
|
||||
constructors = import ../../../services-agnostic/constructors.nix {
|
||||
inherit pkgs stateDir runtimeDir logDir tmpDir cacheDir libDir spoolDir forceDisableUserChange processManager nix-processmgmt;
|
||||
inherit pkgs stateDir runtimeDir logDir tmpDir cacheDir libDir spoolDir forceDisableUserChange callingUser processManager nix-processmgmt;
|
||||
};
|
||||
in
|
||||
rec {
|
||||
|
|
|
@ -1,13 +0,0 @@
|
|||
service telnet
|
||||
{
|
||||
flags = REUSE
|
||||
socket_type = stream
|
||||
wait = no
|
||||
user = ${if forceDisableUserChange then callingUser else "root"}
|
||||
server = ${pkgs.inetutils}/libexec/telnetd
|
||||
server_args = -E ${pkgs.bashInteractive}/bin/bash
|
||||
disable = no
|
||||
instances = 10
|
||||
type = UNLISTED
|
||||
port = ${toString port}
|
||||
}
|
|
@ -1,13 +0,0 @@
|
|||
service tftp
|
||||
{
|
||||
socket_type = dgram
|
||||
protocol = udp
|
||||
bind = 127.0.0.1
|
||||
wait = yes
|
||||
user = ${if forceDisableUserChange then callingUser else "root"}
|
||||
server = ${pkgs.inetutils}/libexec/tftpd
|
||||
server_args = "-u " ${if forceDisableUserChange then callingUser else "nobody"}
|
||||
disable = no
|
||||
type = UNLISTED
|
||||
port = ${toString port}
|
||||
}
|
Loading…
Reference in New Issue