From 6f1b841669f85eddb0326c9ebf0b74d097f44f51 Mon Sep 17 00:00:00 2001 From: Jaculabilis Date: Thu, 31 Dec 2020 15:04:51 -0800 Subject: [PATCH] Refactor to fix user permissions when using cli as another user --- inquisitor.nix | 57 ++++++++++++++++++++++++++++++++++---------------- 1 file changed, 39 insertions(+), 18 deletions(-) diff --git a/inquisitor.nix b/inquisitor.nix index d10d35d..cb28e71 100644 --- a/inquisitor.nix +++ b/inquisitor.nix @@ -13,6 +13,15 @@ let # Define the inquisitor data directory inquisiDir = "/var/lib/inquisitor"; + # Define the inquisitor service user + inquisitorUser = { + name = "inquisitor"; + description = "Inquisitor service user"; + isSystemUser = true; + shell = pkgs.bashInteractive; + packages = [ inquisitor pkgs.cron ]; + }; + # Create the inquisitor config file in the nix store, pointing to /var/lib/ inquisitorConfig = pkgs.writeTextFile { name = "inquisitor.conf"; @@ -25,9 +34,9 @@ let ''; }; - # Create a run script for the server that sets up all necessary state - inquisitorRun = pkgs.writeShellScriptBin "run.sh" '' - # Ensure inquisitor directories and inquisitor source folder + # Create a setup script to ensure the service directory state + inquisitorSetup = pkgs.writeShellScriptBin "inquisitor-setup.sh" '' + # Ensure the service directory and the default source directory ${pkgs.coreutils}/bin/mkdir -p ${inquisiDir}/data/inquisitor/ ${pkgs.coreutils}/bin/mkdir -p ${inquisiDir}/sources/ ${pkgs.coreutils}/bin/mkdir -p ${inquisiDir}/cache/ @@ -35,42 +44,54 @@ let ${pkgs.coreutils}/bin/echo "{}" > ${inquisiDir}/data/inquisitor/state fi - # Run inquisitor + # Ensure the service owns the folders + chown -R ${inquisitorUser.name} ${inquisiDir} + ''; + + # Create a run script for the server + inquisitorRun = pkgs.writeShellScriptBin "inquisitor-run.sh" '' cd ${inquisiDir} ${inquisitor}/bin/gunicorn \ --bind=localhost:24133 \ --workers=4 \ - --env INQUISITOR_CONFIG=${inquisitorConfig} \ --log-level debug \ "inquisitor.app:wsgi()" ''; - # Create a wrapper script to let users call into inquisitor safely + # Create a wrapper to execute the cli as the service user inquisitorWrapper = pkgs.writeShellScriptBin "inq" '' - INQUISITOR_CONFIG=${inquisitorConfig} ${inquisitor}/bin/inquisitor "$@" + sudo --user=inquisitor ${inquisitor}/bin/inquisitor "$@" ''; in { - # Create a user for the service - users.users.inquisitor = { - description = "Inquisitor service user"; - isSystemUser = true; - home = "${inquisiDir}"; - createHome = true; - shell = pkgs.bashInteractive; - packages = [ inquisitor pkgs.cron ]; - }; + users.users.inquisitor = inquisitorUser; + + # Link the config in /etc to avoid envvar shenanigans + environment.etc."inquisitor.conf".source = "${inquisitorConfig}"; # Give all users the inq wrapper environment.systemPackages = [ inquisitorWrapper ]; + # Allow the sudo in the cli wrapper without password + security.sudo.extraRules = [{ + commands = [{ + command = "${inquisitor}/bin/inquisitor"; + options = [ "NOPASSWD" ]; + }]; + runAs = "${inquisitorUser.name}"; + groups = [ "users" ]; + }]; + + # Run the setup script on activation + system.activationScripts.inquisitorSetup = "${inquisitorSetup}/bin/inquisitor-setup.sh"; + # Set up the inquisitor service systemd.services.inquisitor = { description = "Inquisitor server"; - script = "${inquisitorRun}/bin/run.sh"; + script = "${inquisitorRun}/bin/inquisitor-run.sh"; serviceConfig = { - User = "inquisitor"; + User = "${inquisitorUser.name}"; Type = "simple"; }; wantedBy = [ "multi-user.target" ];