forked from mirrors/nixpkgs
3cf9508c72
This commit changes how we deal with the current token, i.e., the token which may exist from a previous runner registration, and the configured token, i.e., the path set for the respective NixOS configuration option. Until now, we copied the configured and the current token (if any) to the runtime directory to compare them. The path of the current token may reference a file which is only accessible to specific users (even only root). Therefore, we ran the copying of credentials with elevated privileges by prefixing the `ExecStartPre=` script with a `+` (see systemd.service(5)). In this script, we also changed the owner of the files to the service user. Apparently, however, the user/group pair sometimes did not exist because we use `DynamicUser=`. To address this issue, we no longer change the owner of the file. Instead, we change the file permissions to 0666 to allow the runner configuration script (runs with full sandboxing) to read-write the file. Due to the current permissions of the runtime directory (0755), this would expose the token. Therefore, we process the tokens in the state directory, which is only accessible to the service user. If a new token file exists in the state directory, the configuration script should trigger a new runner registration. Afterward, it deletes the new token file. The token is still available using the path of the current token which is inaccessible within the service's sandbox. |
||
|---|---|---|
| .. | ||
| config | ||
| hardware | ||
| i18n/input-method | ||
| installer | ||
| misc | ||
| profiles | ||
| programs | ||
| security | ||
| services | ||
| system | ||
| tasks | ||
| testing | ||
| virtualisation | ||
| module-list.nix | ||
| rename.nix | ||