Merge pull request #95444 from doronbehar/fix/mount+s

nixos/wrappers: make mount have the +s bit.
2020-08-16 12:23:12 +02:00 · 2020-08-16 12:23:12 +02:00 · 609eb86db7
parent d420369354 2519e54bef
commit 609eb86db7
2 changed files with 35 additions and 0 deletions
--- a/nixos/modules/security/wrappers/default.nix
+++ b/nixos/modules/security/wrappers/default.nix
@ -160,8 +160,11 @@ in
  config = {

    security.wrappers = {
+      # These are mount related wrappers that require the +s permission.
      fusermount.source = "${pkgs.fuse}/bin/fusermount";
      fusermount3.source = "${pkgs.fuse3}/bin/fusermount3";
+      mount.source = "${lib.getBin pkgs.utillinux}/bin/mount";
+      umount.source = "${lib.getBin pkgs.utillinux}/bin/umount";
    };

    boot.specialFileSystems.${parentWrapperDir} = {
--- a/nixos/tests/misc.nix
+++ b/nixos/tests/misc.nix
@ -20,12 +20,24 @@ import ./make-test-python.nix ({ pkgs, ...} : rec {
        { fsType = "tmpfs";
          options = [ "mode=1777" "noauto" ];
        };
+        # Tests https://discourse.nixos.org/t/how-to-make-a-derivations-executables-have-the-s-permission/8555
+        "/user-mount/point" = {
+          device = "/user-mount/source";
+          fsType = "none";
+          options = [ "bind" "rw" "user" "noauto" ];
+        };
+        "/user-mount/denied-point" = {
+          device = "/user-mount/denied-source";
+          fsType = "none";
+          options = [ "bind" "rw" "noauto" ];
+        };
      };
      systemd.automounts = singleton
        { wantedBy = [ "multi-user.target" ];
          where = "/tmp2";
        };
      users.users.sybil = { isNormalUser = true; group = "wheel"; };
+      users.users.alice = { isNormalUser = true; };
      security.sudo = { enable = true; wheelNeedsPassword = false; };
      boot.kernel.sysctl."vm.swappiness" = 1;
      boot.kernelParams = [ "vsyscall=emulate" ];
@ -112,6 +124,26 @@ import ./make-test-python.nix ({ pkgs, ...} : rec {
          machine.succeed("touch /tmp2/x")
          machine.succeed("grep '/tmp2 tmpfs' /proc/mounts")

+      with subtest(
+          "Whether mounting by a user is possible with the `user` option in fstab (#95444)"
+      ):
+          machine.succeed("mkdir -p /user-mount/source")
+          machine.succeed("touch /user-mount/source/file")
+          machine.succeed("chmod -R a+Xr /user-mount/source")
+          machine.succeed("mkdir /user-mount/point")
+          machine.succeed("chown alice:users /user-mount/point")
+          machine.succeed("su - alice -c 'mount /user-mount/point'")
+          machine.succeed("su - alice -c 'ls /user-mount/point/file'")
+      with subtest(
+          "Whether mounting by a user is denied without the `user` option in  fstab"
+      ):
+          machine.succeed("mkdir -p /user-mount/denied-source")
+          machine.succeed("touch /user-mount/denied-source/file")
+          machine.succeed("chmod -R a+Xr /user-mount/denied-source")
+          machine.succeed("mkdir /user-mount/denied-point")
+          machine.succeed("chown alice:users /user-mount/denied-point")
+          machine.fail("su - alice -c 'mount /user-mount/denied-point'")
+
      with subtest("shell-vars"):
          machine.succeed('[ -n "$NIX_PATH" ]')