nixos/networkmanager: remove networking.networkmanager.dynamic… (#71337)
nixos/networkmanager: remove networking.networkmanager.dynamicHosts
This commit is contained in:
commit
f24b4fb411
@ -85,7 +85,19 @@
|
|||||||
|
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para />
|
<para>
|
||||||
|
The <literal>dynamicHosts</literal> option has been removed from the
|
||||||
|
<link linkend="opt-networking.networkmanager.enable">networkd</link>
|
||||||
|
module. Allowing (multiple) regular users to override host entries
|
||||||
|
affecting the whole system opens up a huge attack vector.
|
||||||
|
There seem to be very rare cases where this might be useful.
|
||||||
|
Consider setting system-wide host entries using
|
||||||
|
<link linkend="opt-networking.hosts">networking.hosts</link>, provide
|
||||||
|
them via the DNS server in your network, or use
|
||||||
|
<link linkend="opt-environment.etc">environment.etc</link>
|
||||||
|
to add a file into <literal>/etc/NetworkManager/dnsmasq.d</literal>
|
||||||
|
reconfiguring <literal>hostsdir</literal>.
|
||||||
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
|
@ -17,9 +17,6 @@ let
|
|||||||
networkmanager-vpnc
|
networkmanager-vpnc
|
||||||
] ++ optional (!delegateWireless && !enableIwd) wpa_supplicant;
|
] ++ optional (!delegateWireless && !enableIwd) wpa_supplicant;
|
||||||
|
|
||||||
dynamicHostsEnabled =
|
|
||||||
cfg.dynamicHosts.enable && cfg.dynamicHosts.hostsDirs != {};
|
|
||||||
|
|
||||||
delegateWireless = config.networking.wireless.enable == true && cfg.unmanaged != [];
|
delegateWireless = config.networking.wireless.enable == true && cfg.unmanaged != [];
|
||||||
|
|
||||||
enableIwd = cfg.wifi.backend == "iwd";
|
enableIwd = cfg.wifi.backend == "iwd";
|
||||||
@ -335,54 +332,19 @@ in {
|
|||||||
so you don't need to to that yourself.
|
so you don't need to to that yourself.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
dynamicHosts = {
|
imports = [
|
||||||
enable = mkOption {
|
(mkRemovedOptionModule ["networking" "networkmanager" "dynamicHosts"] ''
|
||||||
type = types.bool;
|
This option was removed because allowing (multiple) regular users to
|
||||||
default = false;
|
override host entries affecting the whole system opens up a huge attack
|
||||||
description = ''
|
vector. There seem to be very rare cases where this might be useful.
|
||||||
Enabling this option requires the
|
Consider setting system-wide host entries using networking.hosts, provide
|
||||||
<option>networking.networkmanager.dns</option> option to be
|
them via the DNS server in your network, or use environment.etc
|
||||||
set to <literal>dnsmasq</literal>. If enabled, the directories
|
to add a file into /etc/NetworkManager/dnsmasq.d reconfiguring hostsdir.
|
||||||
defined by the
|
'')
|
||||||
<option>networking.networkmanager.dynamicHosts.hostsDirs</option>
|
];
|
||||||
option will be set up when the service starts. The dnsmasq instance
|
|
||||||
managed by NetworkManager will then watch those directories for
|
|
||||||
hosts files (see the <literal>--hostsdir</literal> option of
|
|
||||||
dnsmasq). This way a non-privileged user can add or override DNS
|
|
||||||
entries on the local system (depending on what hosts directories
|
|
||||||
that are configured)..
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
hostsDirs = mkOption {
|
|
||||||
type = with types; attrsOf (submodule {
|
|
||||||
options = {
|
|
||||||
user = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
default = "root";
|
|
||||||
description = ''
|
|
||||||
The user that will own the hosts directory.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
group = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
default = "root";
|
|
||||||
description = ''
|
|
||||||
The group that will own the hosts directory.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
};
|
|
||||||
});
|
|
||||||
default = {};
|
|
||||||
description = ''
|
|
||||||
Defines a set of directories (relative to
|
|
||||||
<literal>/run/NetworkManager/hostdirs</literal>) that dnsmasq will
|
|
||||||
watch for hosts files.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
|
|
||||||
###### implementation
|
###### implementation
|
||||||
@ -396,12 +358,6 @@ in {
|
|||||||
Except if you mark some interfaces as <literal>unmanaged</literal> by NetworkManager.
|
Except if you mark some interfaces as <literal>unmanaged</literal> by NetworkManager.
|
||||||
'';
|
'';
|
||||||
}
|
}
|
||||||
{ assertion = !dynamicHostsEnabled || (dynamicHostsEnabled && cfg.dns == "dnsmasq");
|
|
||||||
message = ''
|
|
||||||
To use networking.networkmanager.dynamicHosts you also need to set
|
|
||||||
`networking.networkmanager.dns = "dnsmasq"`
|
|
||||||
'';
|
|
||||||
}
|
|
||||||
];
|
];
|
||||||
|
|
||||||
environment.etc = with pkgs; [
|
environment.etc = with pkgs; [
|
||||||
@ -435,12 +391,6 @@ in {
|
|||||||
target = "NetworkManager/dispatcher.d/${dispatcherTypesSubdirMap.${s.type}}03userscript${lib.fixedWidthNumber 4 i}";
|
target = "NetworkManager/dispatcher.d/${dispatcherTypesSubdirMap.${s.type}}03userscript${lib.fixedWidthNumber 4 i}";
|
||||||
mode = "0544";
|
mode = "0544";
|
||||||
}) cfg.dispatcherScripts
|
}) cfg.dispatcherScripts
|
||||||
++ optional dynamicHostsEnabled
|
|
||||||
{ target = "NetworkManager/dnsmasq.d/dyndns.conf";
|
|
||||||
text = concatMapStrings (n: ''
|
|
||||||
hostsdir=/run/NetworkManager/hostsdirs/${n}
|
|
||||||
'') (attrNames cfg.dynamicHosts.hostsDirs);
|
|
||||||
}
|
|
||||||
++ optional cfg.enableStrongSwan
|
++ optional cfg.enableStrongSwan
|
||||||
{ source = "${pkgs.networkmanager_strongswan}/lib/NetworkManager/VPN/nm-strongswan-service.name";
|
{ source = "${pkgs.networkmanager_strongswan}/lib/NetworkManager/VPN/nm-strongswan-service.name";
|
||||||
target = "NetworkManager/VPN/nm-strongswan-service.name";
|
target = "NetworkManager/VPN/nm-strongswan-service.name";
|
||||||
@ -496,21 +446,6 @@ in {
|
|||||||
|
|
||||||
systemd.services.ModemManager.aliases = [ "dbus-org.freedesktop.ModemManager1.service" ];
|
systemd.services.ModemManager.aliases = [ "dbus-org.freedesktop.ModemManager1.service" ];
|
||||||
|
|
||||||
systemd.services.nm-setup-hostsdirs = mkIf dynamicHostsEnabled {
|
|
||||||
wantedBy = [ "NetworkManager.service" ];
|
|
||||||
before = [ "NetworkManager.service" ];
|
|
||||||
partOf = [ "NetworkManager.service" ];
|
|
||||||
script = concatStrings (mapAttrsToList (n: d: ''
|
|
||||||
mkdir -p "/run/NetworkManager/hostsdirs/${n}"
|
|
||||||
chown "${d.user}:${d.group}" "/run/NetworkManager/hostsdirs/${n}"
|
|
||||||
chmod 0775 "/run/NetworkManager/hostsdirs/${n}"
|
|
||||||
'') cfg.dynamicHosts.hostsDirs);
|
|
||||||
serviceConfig = {
|
|
||||||
Type = "oneshot";
|
|
||||||
RemainAfterExit = true;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
systemd.services.NetworkManager-dispatcher = {
|
systemd.services.NetworkManager-dispatcher = {
|
||||||
wantedBy = [ "network.target" ];
|
wantedBy = [ "network.target" ];
|
||||||
restartTriggers = [ configFile ];
|
restartTriggers = [ configFile ];
|
||||||
|
Loading…
Reference in New Issue
Block a user