Fix the extendable xinetd service for unprivileged users and sysvinit deployments

2021-04-24 12:57:12 +02:00 · 2021-04-24 12:57:12 +02:00 · 4ca919bced
parent 513e3b226a
commit 4ca919bced
7 changed files with 37 additions and 39 deletions
--- a/services-agnostic/constructors.nix
+++ b/services-agnostic/constructors.nix
@ -194,7 +194,7 @@ in
  };

  extendableXinetd = import ./xinetd/extendable.nix {
-    inherit createManagedProcess runtimeDir tmpDir libDir forceDisableUserChange;
-    inherit (pkgs) xinetd writeTextFile;
+    inherit createManagedProcess runtimeDir tmpDir libDir forceDisableUserChange callingUser;
+    inherit (pkgs) lib xinetd writeTextFile;
  };
 }
--- a/services-agnostic/xinetd/default.nix
+++ b/services-agnostic/xinetd/default.nix
@ -1,14 +1,11 @@
 {createManagedProcess, xinetd, runtimeDir, tmpDir, forceDisableUserChange}:
-{instanceSuffix ? "", instanceName ? "xinetd${instanceSuffix}", configFile}:
+{instanceSuffix ? "", instanceName ? "xinetd${instanceSuffix}", initialize ? "", configFile}:

-let
-  pidFile = if forceDisableUserChange then "${tmpDir}/${instanceName}.pid" else "${runtimeDir}/${instanceName}.pid";
-in
 createManagedProcess {
-  inherit instanceName;
+  inherit instanceName initialize;
  process = "${xinetd}/bin/xinetd";

-  args = [ "-f" configFile "-pidfile" pidFile ];
+  args = [ "-f" configFile "-pidfile" "${runtimeDir}/${instanceName}.pid" ];
  foregroundProcessExtraArgs = [ "-dontfork" ];

  overrides = {
--- a/services-agnostic/xinetd/extendable.nix
+++ b/services-agnostic/xinetd/extendable.nix
@ -1,20 +1,48 @@
-{createManagedProcess, xinetd, runtimeDir, tmpDir, libDir, forceDisableUserChange, writeTextFile}:
+{createManagedProcess, lib, xinetd, writeTextFile, runtimeDir, tmpDir, libDir, forceDisableUserChange, callingUser}:

 { instanceSuffix ? ""
 , instanceName ? "xinetd${instanceSuffix}"
 , services ? {}
 , extraConfig ? ""
+# If there are no services, then xinetd refuses to launch. An echo service prevents this from happening so that we can initially bootstrap it
+, includeEchoService ? true
+, echoPort ? 1024
 }:

+let
+  xinetdIncludeDir = "${libDir}/${instanceName}/xinetd.d";
+in
 import ./default.nix {
  inherit createManagedProcess xinetd runtimeDir tmpDir forceDisableUserChange;
 } {
  inherit instanceSuffix instanceName;

+  initialize = ''
+    mkdir -p ${xinetdIncludeDir}
+  ''
+  + lib.optionalString includeEchoService ''
+    cat > ${xinetdIncludeDir}/echo <<EOF
+    service echo
+    {
+        socket_type = dgram
+        protocol = udp
+        bind = 127.0.0.1
+        wait = yes
+        user = ${if forceDisableUserChange then callingUser else "nobody"}
+        type = INTERNAL${lib.optionalString forceDisableUserChange " UNLISTED"}
+  ''
+  + lib.optionalString forceDisableUserChange ''
+    port = ${toString echoPort}
+  ''
+  + ''
+    }
+    EOF
+  '';
+
  configFile = writeTextFile {
    name = "xinetd.conf";
    text = ''
-      includedir ${libDir}/${instanceName}/xinetd.d
+      includedir ${xinetdIncludeDir}
    ''
    + extraConfig;
  };
--- a/tests/xinetd/extendable/default.nix
+++ b/tests/xinetd/extendable/default.nix
@ -30,7 +30,6 @@ testService {
        };
      in
      ''
-        machine.succeed("mkdir -p ${stateDir}/lib/${instanceName}/xinetd.d")
        machine.succeed(
            "cp ${tftpService} ${stateDir}/lib/${instanceName}/xinetd.d"
        )
@ -66,7 +65,6 @@ testService {
        };
      in
      ''
-        machine.succeed("mkdir -p ${stateDir}/lib/${instanceName}/xinetd.d")
        machine.succeed(
            "cp ${telnetService} ${stateDir}/lib/${instanceName}/xinetd.d"
        )
--- a/tests/xinetd/extendable/processes.nix
+++ b/tests/xinetd/extendable/processes.nix
@ -8,13 +8,14 @@
 , libDir ? "${stateDir}/lib"
 , tmpDir ? (if stateDir == "/var" then "/tmp" else "${stateDir}/tmp")
 , forceDisableUserChange ? false
+, callingUser ? null
 , processManager
 , nix-processmgmt ? ../../../../nix-processmgmt
 }:

 let
  constructors = import ../../../services-agnostic/constructors.nix {
-    inherit pkgs stateDir runtimeDir logDir tmpDir cacheDir libDir spoolDir forceDisableUserChange processManager nix-processmgmt;
+    inherit pkgs stateDir runtimeDir logDir tmpDir cacheDir libDir spoolDir forceDisableUserChange callingUser processManager nix-processmgmt;
  };
 in
 rec {
--- a/tests/xinetd/extendable/xinetd.d/telnet
+++ b/tests/xinetd/extendable/xinetd.d/telnet
@ -1,13 +0,0 @@
-service telnet
-{
-    flags = REUSE
-    socket_type = stream
-    wait = no
-    user = ${if forceDisableUserChange then callingUser else "root"}
-    server = ${pkgs.inetutils}/libexec/telnetd
-    server_args = -E ${pkgs.bashInteractive}/bin/bash
-    disable = no
-    instances = 10
-    type = UNLISTED
-    port = ${toString port}
-}
--- a/tests/xinetd/extendable/xinetd.d/tftp
+++ b/tests/xinetd/extendable/xinetd.d/tftp
@ -1,13 +0,0 @@
-service tftp
-{
-    socket_type = dgram
-    protocol = udp
-    bind = 127.0.0.1
-    wait = yes
-    user = ${if forceDisableUserChange then callingUser else "root"}
-    server = ${pkgs.inetutils}/libexec/tftpd
-    server_args = "-u " ${if forceDisableUserChange then callingUser else "nobody"}
-    disable = no
-    type = UNLISTED
-    port = ${toString port}
-}