Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[backport 2.3] Separate auth and logic for the daemon #5640

Draft
wants to merge 1 commit into
base: 2.3-maintenance
Choose a base branch
from
Draft

[backport 2.3] Separate auth and logic for the daemon #5640

wants to merge 1 commit into from

Conversation

Ericson2314
Copy link
Member

@Ericson2314 Ericson2314 commented Nov 24, 2021
edited
Loading

Before, processConnection wanted to know a user name and user id, and nix-daemon --stdio, when it isn't proxying to an underlying daemon, would just assume "root" and 0. But nix-daemon --stdio (no proxying) shouldn't make guesses about who holds the other end of its standard streams.

Now processConnection takes an "auth hook", so nix-daemon can provide the appropriate policy and daemon.cc doesn't need to know or care what it is.

(cherry picked from commit 8d4162f)

Depends on #5650
(not actually, but yes in terms of it wouldn't be useful until then.)

@thufschmitt
Copy link
Member

Care to explain why this needs to be backported? The new test makes me believe that it’s just for the fake ssh feature, but I’m not sure what the link between the two is

@Ericson2314
Copy link
Member Author

Ericson2314 commented Dec 1, 2021
edited
Loading

@regnat heh a few things:

  1. I backported it trying to fix cross daemon test failures, and yes it ended up being only that test that excised it. However, I found the remote-store and remote-program query params are also easy to backport (and I did that in [backport 2.3] Allow testing with different daemons #5650), and between all backports it will allow my newer more extensive remote building tests to work.

  2. However, my comment i wrote and backported is overly narrow. The case with the "root" that is causing the problems is hit when nix-daemon --stdio is run, and that daemon wouldn't itself connect to another daemon. So it will also occurs when ssh-ing to machines that are "in single user mode".

@stale
Copy link

stale bot commented Jun 12, 2022

I marked this as stale due to inactivity. → More info

@stale stale bot added the stale label Jun 12, 2022
@stale stale bot removed the stale label Feb 23, 2023
@fricklerhandwerk fricklerhandwerk added the contributor-experience Developer experience for Nix contributors label Mar 3, 2023
@Ericson2314
Separate auth and logic for the daemon
88e13cf 
Before, processConnection wanted to know a user name and user id, and
`nix-daemon --stdio`, when it isn't proxying to an underlying daemon,
would just assume "root" and 0. But `nix-daemon --stdio` (no proxying)
shouldn't make guesses about who holds the other end of its standard
streams.

Now processConnection takes an "auth hook", so `nix-daemon` can provide
the appropriate policy and daemon.cc doesn't need to know or care what
it is.

(cherry picked from commit 8d4162f)
@Ericson2314 Ericson2314 marked this pull request as draft November 30, 2023 17:58
@Ericson2314 Ericson2314 marked this pull request as ready for review November 30, 2023 17:58
@Ericson2314 Ericson2314 marked this pull request as draft November 30, 2023 18:48
@Ericson2314
Copy link
Member Author

draft until it is needed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
contributor-experience Developer experience for Nix contributors
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Ericson2314 @thufschmitt @fricklerhandwerk