nixos/networkmanager: remove networking.networkmanager.dynamic… (#71337)

nixos/networkmanager: remove networking.networkmanager.dynamicHosts
This commit is contained in:
Florian Klink 2019-10-21 02:33:28 +02:00 committed by GitHub
commit f24b4fb411
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 24 additions and 77 deletions

View File

@ -85,7 +85,19 @@
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para /> <para>
The <literal>dynamicHosts</literal> option has been removed from the
<link linkend="opt-networking.networkmanager.enable">networkd</link>
module. Allowing (multiple) regular users to override host entries
affecting the whole system opens up a huge attack vector.
There seem to be very rare cases where this might be useful.
Consider setting system-wide host entries using
<link linkend="opt-networking.hosts">networking.hosts</link>, provide
them via the DNS server in your network, or use
<link linkend="opt-environment.etc">environment.etc</link>
to add a file into <literal>/etc/NetworkManager/dnsmasq.d</literal>
reconfiguring <literal>hostsdir</literal>.
</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
</section> </section>

View File

@ -17,9 +17,6 @@ let
networkmanager-vpnc networkmanager-vpnc
] ++ optional (!delegateWireless && !enableIwd) wpa_supplicant; ] ++ optional (!delegateWireless && !enableIwd) wpa_supplicant;
dynamicHostsEnabled =
cfg.dynamicHosts.enable && cfg.dynamicHosts.hostsDirs != {};
delegateWireless = config.networking.wireless.enable == true && cfg.unmanaged != []; delegateWireless = config.networking.wireless.enable == true && cfg.unmanaged != [];
enableIwd = cfg.wifi.backend == "iwd"; enableIwd = cfg.wifi.backend == "iwd";
@ -335,54 +332,19 @@ in {
so you don't need to to that yourself. so you don't need to to that yourself.
''; '';
}; };
};
};
dynamicHosts = { imports = [
enable = mkOption { (mkRemovedOptionModule ["networking" "networkmanager" "dynamicHosts"] ''
type = types.bool; This option was removed because allowing (multiple) regular users to
default = false; override host entries affecting the whole system opens up a huge attack
description = '' vector. There seem to be very rare cases where this might be useful.
Enabling this option requires the Consider setting system-wide host entries using networking.hosts, provide
<option>networking.networkmanager.dns</option> option to be them via the DNS server in your network, or use environment.etc
set to <literal>dnsmasq</literal>. If enabled, the directories to add a file into /etc/NetworkManager/dnsmasq.d reconfiguring hostsdir.
defined by the '')
<option>networking.networkmanager.dynamicHosts.hostsDirs</option> ];
option will be set up when the service starts. The dnsmasq instance
managed by NetworkManager will then watch those directories for
hosts files (see the <literal>--hostsdir</literal> option of
dnsmasq). This way a non-privileged user can add or override DNS
entries on the local system (depending on what hosts directories
that are configured)..
'';
};
hostsDirs = mkOption {
type = with types; attrsOf (submodule {
options = {
user = mkOption {
type = types.str;
default = "root";
description = ''
The user that will own the hosts directory.
'';
};
group = mkOption {
type = types.str;
default = "root";
description = ''
The group that will own the hosts directory.
'';
};
};
});
default = {};
description = ''
Defines a set of directories (relative to
<literal>/run/NetworkManager/hostdirs</literal>) that dnsmasq will
watch for hosts files.
'';
};
};
};
};
###### implementation ###### implementation
@ -396,12 +358,6 @@ in {
Except if you mark some interfaces as <literal>unmanaged</literal> by NetworkManager. Except if you mark some interfaces as <literal>unmanaged</literal> by NetworkManager.
''; '';
} }
{ assertion = !dynamicHostsEnabled || (dynamicHostsEnabled && cfg.dns == "dnsmasq");
message = ''
To use networking.networkmanager.dynamicHosts you also need to set
`networking.networkmanager.dns = "dnsmasq"`
'';
}
]; ];
environment.etc = with pkgs; [ environment.etc = with pkgs; [
@ -435,12 +391,6 @@ in {
target = "NetworkManager/dispatcher.d/${dispatcherTypesSubdirMap.${s.type}}03userscript${lib.fixedWidthNumber 4 i}"; target = "NetworkManager/dispatcher.d/${dispatcherTypesSubdirMap.${s.type}}03userscript${lib.fixedWidthNumber 4 i}";
mode = "0544"; mode = "0544";
}) cfg.dispatcherScripts }) cfg.dispatcherScripts
++ optional dynamicHostsEnabled
{ target = "NetworkManager/dnsmasq.d/dyndns.conf";
text = concatMapStrings (n: ''
hostsdir=/run/NetworkManager/hostsdirs/${n}
'') (attrNames cfg.dynamicHosts.hostsDirs);
}
++ optional cfg.enableStrongSwan ++ optional cfg.enableStrongSwan
{ source = "${pkgs.networkmanager_strongswan}/lib/NetworkManager/VPN/nm-strongswan-service.name"; { source = "${pkgs.networkmanager_strongswan}/lib/NetworkManager/VPN/nm-strongswan-service.name";
target = "NetworkManager/VPN/nm-strongswan-service.name"; target = "NetworkManager/VPN/nm-strongswan-service.name";
@ -496,21 +446,6 @@ in {
systemd.services.ModemManager.aliases = [ "dbus-org.freedesktop.ModemManager1.service" ]; systemd.services.ModemManager.aliases = [ "dbus-org.freedesktop.ModemManager1.service" ];
systemd.services.nm-setup-hostsdirs = mkIf dynamicHostsEnabled {
wantedBy = [ "NetworkManager.service" ];
before = [ "NetworkManager.service" ];
partOf = [ "NetworkManager.service" ];
script = concatStrings (mapAttrsToList (n: d: ''
mkdir -p "/run/NetworkManager/hostsdirs/${n}"
chown "${d.user}:${d.group}" "/run/NetworkManager/hostsdirs/${n}"
chmod 0775 "/run/NetworkManager/hostsdirs/${n}"
'') cfg.dynamicHosts.hostsDirs);
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
};
systemd.services.NetworkManager-dispatcher = { systemd.services.NetworkManager-dispatcher = {
wantedBy = [ "network.target" ]; wantedBy = [ "network.target" ];
restartTriggers = [ configFile ]; restartTriggers = [ configFile ];