-
-
Notifications
You must be signed in to change notification settings - Fork 14.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/transmission: improvements #350085
base: master
Are you sure you want to change the base?
nixos/transmission: improvements #350085
Conversation
beb5ec1
to
99add84
Compare
settings.umask
to be of type str
@ju1m could you help with this PR? |
Does that mean I should remove the release note entry? |
@diniamo , sorry I did not notice you had already done all that work, what you did is better, thanks! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
@ju1m just to make sure: I changed serviceConfig.StateDirectoryMode to cfg.downloadDirPermissions as well. It's needed because other things can't access any subdirectories, if they can't access the parent directory. Alternatively, do you have a better solution? |
Right, no I would not change Besides, if |
@@ -358,7 +356,7 @@ in | |||
"transmission/${downloadsDir}" | |||
"transmission/${watchDir}" | |||
]; | |||
StateDirectoryMode = mkDefault 750; | |||
StateDirectoryMode = cfg.downloadDirPermissions; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please keep 750 and let users add themselves to the transmission group.
How do I add a user to multiple groups declaratively though? Edit: seems like removing the downloadDirPermissions option worked. Although what happens if you set it to null is not documented. |
users.users."diniamo".extraGroups = [ config.transmission.group ]; Or: users.groups.${config.transmission.group}.members = [ "diniamo" ]; |
And do you know why setting downloadDirPermissions to null makes it 755? I'll add a note about that to the description. |
Yes, I explained it in my previous message. But please do not use |
b0b6952
to
283ce8d
Compare
How is this? |
@@ -191,6 +189,10 @@ in | |||
and [](#opt-services.transmission.settings.watch-dir). | |||
Note that you may also want to change | |||
[](#opt-services.transmission.settings.umask). | |||
|
|||
If `null`, the home and the download directories become |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm, I think you've misunderstood what I tried to say previously, when I wrote:
Besides, if cfg.downloadDirPermissions is null (the default) then StateDirectoryMode= would default to 755 instead of the current 750 which would open transmission's state folder read-only to every users.
I was describing what would happen if we were to use StateDirectoryMode = cfg.downloadDirPermissions;
but that's no longer the case, so downloadDirPermissions == null
remains a no-op.
Indeed, the description
only documents the If not null,
case, but adding users to config.transmission.group
is unrelated to that option being null
or not, it's related to StateDirectoryMode == "750"
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Then that option is very misleading. If I set it to 755, then I expect other users to be able to read the download directories, which is not the case. This is very unintuitive, and the option descriptions don't mention this anywhere. It took a long while before I figured out what was going on.
It would be nice if we could avoid wasting others' time. What do you suggest?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IMHO, downloadDirPermissions
is a quirk that should not even exist in the first place, since adding users to services.transmission.group
is both more secure and more idiomatic.
Yet this option lingers and we have to deal with it, I would suggest to improve its description
by explaining the two main ways to give access to the directories that I explained previously:
- the better way security-wise is to add users to
services.transmission.group
,- or to set cfg.settings.download-dir & co. to some path where intended users have access to them [and use
settings.umask = "002"
anddownloadDirPermissions = "755"
]
283ce8d
to
f7cdf7b
Compare
How is this? I did some minimal testing in a VM, and it seems to be working fine. |
f7cdf7b
to
849298b
Compare
"transmission/${downloadsDir}" | ||
"transmission/${watchDir}" | ||
]; | ||
StateDirectoryMode = mkDefault 750; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please do not remove StateDirectoryMode
nor StateDirectory
, otherwise they will not be bound in the RootDirectory
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't exactly understand the bind mount stuff from the systemd docs. Isn't it enough to only bind the top-level directory (/var/lib/transmission
)?
Never mind. I'm not digging into this deeper than I have to.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, but listing subdirs enforces StateDirectoryMode
on them:
Except in case of ConfigurationDirectory=, the innermost specified directories will be owned by the user and group specified in User= and Group=. If the specified directories already exist and their owning user or group do not match the configured ones, all files and directories below the specified directories as well as the directories themselves will have their file ownership recursively changed to match what is configured. As an optimization, if the specified directories are already owned by the right user and group, files and directories below of them are left as-is, even if they do not match what is requested. The innermost specified directories will have their access mode adjusted to the what is specified in RuntimeDirectoryMode=, StateDirectoryMode=, CacheDirectoryMode=, LogsDirectoryMode= and ConfigurationDirectoryMode=.
Note that because "transmission/${downloadsDir}"
is necessarily /var/lib/transmission/Downloads
, StateDirectoryMode
does not adjust modes of cfg.settings.download-dir
if it's set to something else than the default "${cfg.home}/${downloadsDir}"
(cfg.home
being another quirk that lingers).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see. Well IMO this entire module deserves a rewrite, but that's a lot of effort, so the latest commit should be fine.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, if it were not for backward compatibility we should drop cfg.home
to always use /var/lib/transmission
, and drop downloadDirPermissions
to let systemd
create directories with "750" (or "770" if members of the transmission
group should be allowed to delete dangling torrent files that transmission did not delete).
Except for that, the rest of the module is not that bad (obviously I'm biased),
amongst the things that come to mind that can be improved security-wise:
- With recent
systemd
giving access toLoadCredential=
/LoadCredentialEncrypted=
inExecStartPre=
, those should be used instead of directly using${cfg.credentialsFile}
, as innixpkgs/nixos/modules/services/misc/radicle.nix
Lines 272 to 282 in 072f2ee
let keyCred = builtins.split ":" "${cfg.privateKeyFile}"; in if lib.length keyCred > 1 then { LoadCredentialEncrypted = [ cfg.privateKeyFile ]; # Note that neither %d nor ${CREDENTIALS_DIRECTORY} works in BindReadOnlyPaths= BindReadOnlyPaths = [ "/run/credentials/radicle-node.service/${lib.head keyCred}:${env.RAD_HOME}/keys/radicle" ]; } else { LoadCredential = [ "radicle:${cfg.privateKeyFile}" ]; BindReadOnlyPaths = [ "/run/credentials/radicle-node.service/radicle:${env.RAD_HOME}/keys/radicle" ]; }; - Instead of using
BindReadOnlyPaths = [ builtins.storeDir ]
,systemd.services.transmission.confinement
should be used to only mount transmission's closure dependencies, as innixpkgs/nixos/modules/services/misc/radicle.nix
Lines 102 to 112 in 072f2ee
confinement = { enable = true; mode = "full-apivfs"; packages = [ pkgs.gitMinimal cfg.package pkgs.iana-etc (lib.getLib pkgs.nss) pkgs.tzdata ]; };
849298b
to
6895141
Compare
Some more stuff, since we are dragging this out anyway. |
@ju1m sorry for this taking so long, but could you take a look? |
We have to wait until after NixOS 24.11 as this is a breaking change and not a trivial fix. |
I don't get it. Why do we have to wait for 24.11? |
Because breaking changes are blocked in this period to prepare for the next release. See #339153 |
@ju1m it looks like I didn't do enough research: transmission 3 (which is the default for the module) still uses the old way of configuring umask (decimal number), while transmission 4 uses the new way (octal number as a string). Should I update the default package as well, or? |
@diniamo should probably be using EDIT: maybe adjusting the |
I was thinking of something like that as well. Thnaks for that suggestion, I'll implement it. |
@diniamo, chances are that nixpkgs/nixos/doc/manual/release-notes/rl-2411.section.md Lines 210 to 212 in b166978
But that would have to be discussed with people involved in #258058 |
nixos/transmission: improve code - Remove `with lib;` - Use `{ name = { ... }; }` instead of `{ name.foo = ...; name.bar = ...; }`
66ce4b0
to
94a4001
Compare
94a4001
to
66115dd
Compare
66115dd
to
38bc6ac
Compare
In that case, I'll leave updating the default to them, and this should be fine. |
@Aleksanaa this is no longer a breaking change. |
As per Transmission's documentation, the umask option should be a string.
Things done
nix.conf
? (See Nix manual)sandbox = relaxed
sandbox = true
nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"
. Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/
)Add a 👍 reaction to pull requests you find important.