Skip to content

Commit

Permalink
Merge pull request #10363 from obsidiansystems/is-root-user
Browse files Browse the repository at this point in the history
Factor out `isRootUser` function
  • Loading branch information
thufschmitt authored Mar 30, 2024
2 parents c864e3b + e4d9b20 commit 845b2a9
Show file tree
Hide file tree
Showing 11 changed files with 30 additions and 15 deletions.
3 changes: 1 addition & 2 deletions src/libstore/globals.cc
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,6 @@
#include "current-process.hh"
#include "archive.hh"
#include "args.hh"
#include "users.hh"
#include "abstract-setting-to-json.hh"
#include "compute-levels.hh"

Expand Down Expand Up @@ -57,7 +56,7 @@ Settings::Settings()
, nixManDir(canonPath(NIX_MAN_DIR))
, nixDaemonSocketFile(canonPath(getEnvNonEmpty("NIX_DAEMON_SOCKET_PATH").value_or(nixStateDir + DEFAULT_SOCKET_PATH)))
{
buildUsersGroup = getuid() == 0 ? "nixbld" : "";
buildUsersGroup = isRootUser() ? "nixbld" : "";
allowSymlinkedStore = getEnv("NIX_IGNORE_SYMLINK_STORE") == "1";

auto sslOverride = getEnv("NIX_SSL_CERT_FILE").value_or(getEnv("SSL_CERT_FILE").value_or(""));
Expand Down
3 changes: 2 additions & 1 deletion src/libstore/globals.hh
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
#include "config.hh"
#include "environment-variables.hh"
#include "experimental-features.hh"
#include "users.hh"

#include <map>
#include <limits>
Expand Down Expand Up @@ -665,7 +666,7 @@ public:
Setting<bool> sandboxFallback{this, true, "sandbox-fallback",
"Whether to disable sandboxing when the kernel doesn't allow it."};

Setting<bool> requireDropSupplementaryGroups{this, getuid() == 0, "require-drop-supplementary-groups",
Setting<bool> requireDropSupplementaryGroups{this, isRootUser(), "require-drop-supplementary-groups",
R"(
Following the principle of least privilege,
Nix will attempt to drop supplementary groups when building with sandboxing.
Expand Down
7 changes: 4 additions & 3 deletions src/libstore/local-store.cc
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@
#include "posix-fs-canonicalise.hh"
#include "posix-source-accessor.hh"
#include "keys.hh"
#include "users.hh"

#include <iostream>
#include <algorithm>
Expand Down Expand Up @@ -223,7 +224,7 @@ LocalStore::LocalStore(const Params & params)

/* Optionally, create directories and set permissions for a
multi-user install. */
if (getuid() == 0 && settings.buildUsersGroup != "") {
if (isRootUser() && settings.buildUsersGroup != "") {
mode_t perm = 01775;

struct group * gr = getgrnam(settings.buildUsersGroup.get().c_str());
Expand Down Expand Up @@ -573,7 +574,7 @@ void LocalStore::openDB(State & state, bool create)
void LocalStore::makeStoreWritable()
{
#if __linux__
if (getuid() != 0) return;
if (!isRootUser()) return;
/* Check if /nix/store is on a read-only mount. */
struct statvfs stat;
if (statvfs(realStoreDir.get().c_str(), &stat) != 0)
Expand Down Expand Up @@ -1570,7 +1571,7 @@ static void makeMutable(const Path & path)
/* Upgrade from schema 6 (Nix 0.15) to schema 7 (Nix >= 1.3). */
void LocalStore::upgradeStore7()
{
if (getuid() != 0) return;
if (!isRootUser()) return;
printInfo("removing immutable bits from the Nix store (this may take a while)...");
makeMutable(realStoreDir);
}
Expand Down
5 changes: 3 additions & 2 deletions src/libstore/lock.cc
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
#include "file-system.hh"
#include "globals.hh"
#include "pathlocks.hh"
#include "users.hh"

#include <pwd.h>
#include <grp.h>
Expand Down Expand Up @@ -192,10 +193,10 @@ std::unique_ptr<UserLock> acquireUserLock(uid_t nrIds, bool useUserNamespace)
bool useBuildUsers()
{
#if __linux__
static bool b = (settings.buildUsersGroup != "" || settings.autoAllocateUids) && getuid() == 0;
static bool b = (settings.buildUsersGroup != "" || settings.autoAllocateUids) && isRootUser();
return b;
#elif __APPLE__
static bool b = settings.buildUsersGroup != "" && getuid() == 0;
static bool b = settings.buildUsersGroup != "" && isRootUser();
return b;
#else
return false;
Expand Down
4 changes: 2 additions & 2 deletions src/libstore/profiles.cc
Original file line number Diff line number Diff line change
Expand Up @@ -308,7 +308,7 @@ std::string optimisticLockProfile(const Path & profile)
Path profilesDir()
{
auto profileRoot =
(getuid() == 0)
isRootUser()
? rootProfilesDir()
: createNixStateDir() + "/profiles";
createDirs(profileRoot);
Expand All @@ -332,7 +332,7 @@ Path getDefaultProfile()
// Backwards compatibiliy measure: Make root's profile available as
// `.../default` as it's what NixOS and most of the init scripts expect
Path globalProfileLink = settings.nixStateDir + "/profiles/default";
if (getuid() == 0 && !pathExists(globalProfileLink)) {
if (isRootUser() && !pathExists(globalProfileLink)) {
replaceSymlink(profile, globalProfileLink);
}
return absPath(readLink(profileLink), dirOf(profileLink));
Expand Down
2 changes: 1 addition & 1 deletion src/libstore/store-api.cc
Original file line number Diff line number Diff line change
Expand Up @@ -1307,7 +1307,7 @@ std::shared_ptr<Store> openFromNonUri(const std::string & uri, const Store::Para
#if __linux__
else if (!pathExists(stateDir)
&& params.empty()
&& getuid() != 0
&& !isRootUser()
&& !getEnv("NIX_STORE_DIR").has_value()
&& !getEnv("NIX_STATE_DIR").has_value())
{
Expand Down
5 changes: 5 additions & 0 deletions src/libutil/users.cc
Original file line number Diff line number Diff line change
Expand Up @@ -113,4 +113,9 @@ std::string expandTilde(std::string_view path)
return std::string(path);
}


bool isRootUser() {
return getuid() == 0;
}

}
6 changes: 6 additions & 0 deletions src/libutil/users.hh
Original file line number Diff line number Diff line change
Expand Up @@ -55,4 +55,10 @@ Path createNixStateDir();
*/
std::string expandTilde(std::string_view path);


/**
* Is the current user UID 0 on Unix?
*/
bool isRootUser();

}
6 changes: 4 additions & 2 deletions src/nix-build/nix-build.cc
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@
#include "common-eval-args.hh"
#include "attr-path.hh"
#include "legacy.hh"
#include "users.hh"

using namespace nix;
using namespace std::string_literals;
Expand Down Expand Up @@ -572,8 +573,9 @@ static void main_nix_build(int argc, char * * argv)
"BASH=%5%; "
"set +e; "
R"s([ -n "$PS1" -a -z "$NIX_SHELL_PRESERVE_PROMPT" ] && )s" +
(getuid() == 0 ? R"s(PS1='\n\[\033[1;31m\][nix-shell:\w]\$\[\033[0m\] '; )s"
: R"s(PS1='\n\[\033[1;32m\][nix-shell:\w]\$\[\033[0m\] '; )s") +
(isRootUser()
? R"s(PS1='\n\[\033[1;31m\][nix-shell:\w]\$\[\033[0m\] '; )s"
: R"s(PS1='\n\[\033[1;32m\][nix-shell:\w]\$\[\033[0m\] '; )s") +
"if [ \"$(type -t runHook)\" = function ]; then runHook shellHook; fi; "
"unset NIX_ENFORCE_PURITY; "
"shopt -u nullglob; "
Expand Down
2 changes: 1 addition & 1 deletion src/nix-env/nix-env.cc
Original file line number Diff line number Diff line change
Expand Up @@ -1414,7 +1414,7 @@ static int main_nix_env(int argc, char * * argv)
replaceSymlink(
defaultChannelsDir(),
nixExprPath + "/channels");
if (getuid() != 0)
if (!isRootUser())
replaceSymlink(
rootChannelsDir(),
nixExprPath + "/channels_root");
Expand Down
2 changes: 1 addition & 1 deletion src/nix/main.cc
Original file line number Diff line number Diff line change
Expand Up @@ -348,7 +348,7 @@ void mainWrapped(int argc, char * * argv)
initGC();

#if __linux__
if (getuid() == 0) {
if (isRootUser()) {
try {
saveMountNamespace();
if (unshare(CLONE_NEWNS) == -1)
Expand Down

0 comments on commit 845b2a9

Please sign in to comment.