From 8fafc35158d9ee7b6446a248c59522c2b80ead00 Mon Sep 17 00:00:00 2001 From: rnhmjoj Date: Fri, 25 Oct 2024 17:56:51 +0200 Subject: [PATCH 1/2] resolvconf: reliably set group permissions If `resolvconf` is invoked by a process not running with the resolvconf group as primary group, other processes will run into trouble as files or directories under /run/resolvconf won't have write permissions. This ACL rule ensure that resolvconf files, include new files created by any process, are always accessible by users of the resolvconf group. --- nixos/modules/config/resolvconf.nix | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/nixos/modules/config/resolvconf.nix b/nixos/modules/config/resolvconf.nix index f6241e9bf96b..70ee02421cc3 100644 --- a/nixos/modules/config/resolvconf.nix +++ b/nixos/modules/config/resolvconf.nix @@ -161,9 +161,12 @@ in script = '' ${lib.getExe cfg.package} -u - files=(/run/resolvconf ${lib.escapeShellArgs cfg.subscriberFiles}) - chgrp -R resolvconf "''${files[@]}" - chmod -R g=u "''${files[@]}" + chgrp resolvconf ${lib.escapeShellArgs cfg.subscriberFiles} + chmod g=u ${lib.escapeShellArgs cfg.subscriberFiles} + ${lib.getExe' pkgs.acl "setfacl"} -R \ + -m group:resolvconf:rwx \ + -m default:group:resolvconf:rwx \ + /run/resolvconf ''; }; From 483e44684de2fba01f219dca5ca6e913eba07f88 Mon Sep 17 00:00:00 2001 From: rnhmjoj Date: Fri, 25 Oct 2024 18:10:55 +0200 Subject: [PATCH 2/2] dhcpcd: fix permissions error with secondary IPv4 addresses If dhcpcd receives a secondary IPv4 address from the DHCP server it tries to enable automatic promotion from secondary to primary by writing `1` to /proc/sys/net/ipv4/conf/%s/promote_secondaries. --- nixos/modules/services/networking/dhcpcd.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/modules/services/networking/dhcpcd.nix b/nixos/modules/services/networking/dhcpcd.nix index a7c896cb28a2..059dc59e8a0a 100644 --- a/nixos/modules/services/networking/dhcpcd.nix +++ b/nixos/modules/services/networking/dhcpcd.nix @@ -249,7 +249,7 @@ in ExecReload = "${dhcpcd}/sbin/dhcpcd --rebind"; Restart = "always"; AmbientCapabilities = [ "CAP_NET_ADMIN" "CAP_NET_RAW" "CAP_NET_BIND_SERVICE" ]; - ReadWritePaths = [ "/proc/sys/net/ipv6" ] + ReadWritePaths = [ "/proc/sys/net/ipv4" "/proc/sys/net/ipv6" ] ++ lib.optionals useResolvConf ([ "/run/resolvconf" ] ++ config.networking.resolvconf.subscriberFiles); DeviceAllow = ""; LockPersonality = true;