-
-
Notifications
You must be signed in to change notification settings - Fork 14.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
create_ap: init at 0.4.6 #54000
create_ap: init at 0.4.6 #54000
Conversation
Restart="on-failure"; | ||
RestartSec=5; | ||
ExecStart = "${pkgs.create_ap}/bin/create_ap --config ${configFile}"; | ||
}; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Try using the DynamicUser
systemd option and maybe some others regarding privileges (man systemd.exec
) to be able to run this without root
privileges.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sadly, it isn't quite easy: the script checks the user id.
if [[ $(id -u) -ne 0 ]]; then
echo "You must run it as root." >&2
exit 1
fi
I can dedicate some more time to patching it, though, if running as a separate user is required.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah I see, in this case I think root is fine, but the security related systemd settings would be very much appreciated (ProtectSystem
, ProtectHome
and the Private*
settings, see man systemd.exec
).
If patching is simple and it works pretty much out of the box with non-root, then that would be even better. We're trying not to have services run as root in general after all, see #41092
What do you think would be better?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We're trying not to have services run as root in general after all
I'm all for this and I am sure that it is possible - it's just that I have had not enough experience with systemd to get it working right now.
Please wait until I finally figure out how to set it up with DynamicUser
on.
ec133f0
to
ddd1f24
Compare
One more thing to consider: the script is able to run and control multiple instances of itself in parallel (i.e. via But when started as a service in its current implementation, only one instance is possible. Maybe it is a good idea to replace the single instance configuration with a list of them. Then it will be possible to define multiple configs and thus create multiple access points:
Or maybe it is even better to handle two cases: when |
I have tested the following:
|
Now I need some time to check all possible usage scenarios with DynamicUser again. |
Without CAP_DAC_OVERRIDE it can't set unmanaged status to devices owned by NetworkManager, because of If the device is already unmanaged, then everything's OK - that's why I caught this problem that late. Strangely enough, |
Try to do an strace of the process to see which path it tries to write to. |
It can be observed even from
|
Well, everything works as it should:
It is impossible to modify files in /etc/ while under DynamicUser without CAP_DAC_OVERRIDE. |
@8084 Can you please change the commit message to match https://github.com/NixOS/nixpkgs/blob/master/.github/CONTRIBUTING.md "init" and "create_ap" are flipped |
@ryantm OK, I'll --squash and force-push the commit with correct message after I'm done. |
e22be2b
to
720d3a3
Compare
SSID=${cfg.ssid} | ||
PASSPHRASE=${cfg.passphrase} | ||
USE_PSK=0 | ||
${cfg.extraConfig} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Now that I've opened NixOS/rfcs#42, I'm not so sure anymore about this anymore. Because once we introduce such hardcoded defaults and extraConfig
, it's hard to go back. Consider using the approach in the RFC instead.
bump? I'm interested in this. |
@klntsky Would you mind if I pushed a commit to this PR to make it use the approach in NixOS/rfcs#42? |
Co-authored-by: Silvan Mosberger <[email protected]>
@infinisil I definitely do not mind, thank you. I don't have enough time myself to work on this PR, sadly. |
720d3a3
to
53a2387
Compare
Cool, did that, somebody should test this again before merging though, I could try with my own laptop later perhaps, not sure if it can do it though |
@klntsky Can you test the latest version? |
Thank you for your contributions. This has been automatically marked as stale because it has had no activity for 180 days. If this is still important to you, we ask that you leave a comment below. Your comment can be as simple as "still important to me". This lets people see that at least one person still cares about this. Someone will have to do this at most twice a year if there is no other activity. Here are suggestions that might help resolve this more quickly:
|
As for now, I believe it's best to drop the service entirely and provide the binary only, due to lack of human powers to wrap it properly. |
Motivation for this change
create_ap.
Things done
sandbox
innix.conf
on non-NixOS)nix-shell -p nox --run "nox-review wip"
./result/bin/
)nix path-info -S
before and after)Additionally, I've included a systemd service which provides a nix interface to some of the most frequently used configurable options (the other can also be set via
extraConfig
).I have tested the following:
-e
flag)nmcli
is used only to set/unset the unmanaged status)--list-running
/--list-clients
/--stop