Separate auth and logic for the daemon

Before, processConnection wanted to know a user name and user id, and `nix-daemon --stdio`, when it isn't proxying to an underlying daemon, would just assume "root" and 0. But `nix-daemon --stdio` (no proxying) shouldn't make guesses about who holds the other end of its standard streams. Now processConnection takes an "auth hook", so `nix-daemon` can provide the appropriate policy and daemon.cc doesn't need to know or care what it is. (cherry picked from commit 8d4162f)
obsidiansystems · Oct 26, 2023 · 88e13cf · 88e13cf
1 parent 619e975
commit 88e13cf
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 11 deletions.
diff --git a/src/nix-daemon/nix-daemon.cc b/src/nix-daemon/nix-daemon.cc
@@ -743,7 +743,11 @@ static void performOp(TunnelLogger * logger, ref<Store> store,
 
 
 static void processConnection(bool trusted,
-    const std::string & userName, uid_t userId)
+    /* Arbitrary hook to check authorization / initialize user data / whatever
+       after the protocol has been negotiated. The idea is that this function
+       and everything it calls doesn't know about this stuff, and the
+       `nix-daemon` handles that instead. */
+    std::function<void(Store &)> authHook)
 {
     MonitorFdHup monitor(from.fd);
 
@@ -781,20 +785,13 @@ static void processConnection(bool trusted,
         /* If we can't accept clientVersion, then throw an error
            *here* (not above). */
 
-#if 0
-        /* Prevent users from doing something very dangerous. */
-        if (geteuid() == 0 &&
-            querySetting("build-users-group", "") == "")
-            throw Error("if you run 'nix-daemon' as root, then you MUST set 'build-users-group'!");
-#endif
-
         /* Open the store. */
         Store::Params params; // FIXME: get params from somewhere
         // Disable caching since the client already does that.
         params["path-info-cache-size"] = "0";
         auto store = openStore(settings.storeUri, params);
 
-        store->createUser(userName, userId);
+        authHook(*store);
 
         tunnelLogger->stopWork();
         to.flush();
@@ -1060,7 +1057,15 @@ static void daemonLoop(char * * argv)
                 /* Handle the connection. */
                 from.fd = remote.get();
                 to.fd = remote.get();
-                processConnection(trusted, user, peer.uid);
+                processConnection(trusted, [&](Store & store) {
+#if 0
+                    /* Prevent users from doing something very dangerous. */
+                    if (geteuid() == 0 &&
+                        querySetting("build-users-group", "") == "")
+                        throw Error("if you run 'nix-daemon' as root, then you MUST set 'build-users-group'!");
+#endif
+                    store.createUser(user, peer.uid);
+                });
 
                 exit(0);
             }, options);
@@ -1140,7 +1145,10 @@ static int _main(int argc, char * * argv)
                     }
                 }
             } else {
-                processConnection(true, "root", 0);
+                /* Auth hook is empty because in this mode we blindly trust the
+                   standard streams. Limitting access to thoses is explicitly
+                   not `nix-daemon`'s responsibility. */
+                processConnection(true, [&](Store & _){});
             }
         } else {
             daemonLoop(argv);

diff --git a/tests/remote-store.sh b/tests/remote-store.sh
@@ -2,6 +2,9 @@ source common.sh
 
 clearStore
 
+# Ensure "fake ssh" remote store works just as legacy fake ssh would.
+nix --store ssh-ng://localhost?remote-store=$TEST_ROOT/other-store doctor
+
 startDaemon
 
 storeCleared=1 $SHELL ./user-envs.sh