consistent ownership/permissions for /run/service-state/**

2023-02-25 22:53:06 +00:00 · 2023-02-25 22:53:06 +00:00 · 59ce03630a
commit 59ce03630a
parent 4bd99df0f1
7 changed files with 57 additions and 38 deletions
--- a/modules/base.nix
+++ b/modules/base.nix
@ -121,6 +121,9 @@ in {
      root = {
        gid = 0; usernames = ["root"];
      };
+      system = {
+        gid = 1; usernames = ["root"];
+      };
    };

    filesystem = dir {
--- a/modules/s6/scripts/rc.init
+++ b/modules/s6/scripts/rc.init
@ -18,6 +18,9 @@ shift
 mount -t proc none /proc
 mount -t sysfs none /sys

+mkdir -m 0750 /run/service-state
+chgrp system /run/service-state
+
 ### If your services are managed by s6-rc:
 ### (replace /run/service with your scandir)
 s6-rc-init /run/service -d -c /etc/s6-rc/compiled
--- a/overlay.nix
+++ b/overlay.nix
@ -89,6 +89,16 @@ final: prev: {
  netlink-lua = final.callPackage ./pkgs/netlink-lua {};
  waitup = final.callPackage ./pkgs/waitup {};

+  serviceFns = final.writeText "service-fns.sh" ''
+    output() { cat $1/.outputs/$2; }
+    output_path() { echo $(realpath $1/.outputs)/$2; }
+    mkoutputs() {
+      d=/run/service-state/$1
+      mkdir -m 2750 -p $d && chown root:system $d
+      echo $d
+    }
+  '';
+
  # these are packages for the build system not the host/target

  tufted = final.callPackage ./pkgs/tufted {};
--- a/pkgs/liminix-tools/networking/dnsmasq.nix
+++ b/pkgs/liminix-tools/networking/dnsmasq.nix
@ -1,11 +1,12 @@
 {
  liminix
 , dnsmasq
+, serviceFns
 , lib
 }:
 {
  user ? "dnsmasq"
-, group ? "dnsmasq"
+, group ? "system"
 , interface
 , upstreams ? []
 , ranges
@ -19,6 +20,7 @@ in longrun {
  inherit name;
  dependencies = [ interface ];
  run = ''
+    . ${serviceFns}
    ${dnsmasq}/bin/dnsmasq \
    --user=${user} \
    --domain=${domain} \
--- a/pkgs/liminix-tools/networking/pppoe.nix
+++ b/pkgs/liminix-tools/networking/pppoe.nix
@ -5,6 +5,7 @@
 , ppp
 , pppoe
 , writeAshScript
+, serviceFns
 } :
 let
  inherit (liminix.services) longrun;
@ -17,16 +18,15 @@ interface: {
 let
  name = "${interface.device}.pppoe";
  ip-up = writeAshScript "ip-up" {} ''
-    outputs=/run/service-state/${name}/
-    mkdir -p $outputs
-    (cd $outputs
-    echo $1 > ifname
-    echo $2 > tty
-    echo $3 > speed
-    echo $4 > address
-    echo $5 > peer-address
-    echo $DNS1 > ns1
-    echo $DNS1 > ns2
+    . ${serviceFns} 
+    (cd $(mkoutputs ${name}); umask 0027
+     echo $1 > ifname
+     echo $2 > tty
+     echo $3 > speed
+     echo $4 > address
+     echo $5 > peer-address
+     echo $DNS1 > ns1
+     echo $DNS2 > ns2
    )
    echo >/proc/self/fd/10
  '';
--- a/pkgs/liminix-tools/networking/udhcpc.nix
+++ b/pkgs/liminix-tools/networking/udhcpc.nix
@ -10,33 +10,33 @@ interface: { ... } @ args:
 let
  name = "${interface.device}.udhcp";
  script = writeShellScript "udhcp-notify" ''
-action=$1
+    . ${serviceFns}
+    action=$1

-set_address() {
-    ip address replace $ip/$mask dev $interface
-    dir=/run/service-state/${name}/
-    mkdir -p $dir
-    for i in lease mask ip router siaddr dns serverid subnet opt53 interface ; do
-        echo ''${!i} > $dir/$i
-    done
-}
-case $action in
-  deconfig)
-    ip address flush $interface
-    ip link set up dev $interface
-    ;;
-  bound)
-    # this doesn't actually replace, it adds a new address.
-    set_address
-    ;;
-  renew)
-    set_address
-    ;;
-  nak)
-    echo "received NAK on $interface"
-    ;;
-esac
-'';
+    set_address() {
+        ip address replace $ip/$mask dev $interface
+        (cd $(mkoutputs ${name}); umask 0027
+         for i in lease mask ip router siaddr dns serverid subnet opt53 interface ; do
+            echo ''${!i} > $i
+         done)
+    }
+    case $action in
+      deconfig)
+        ip address flush $interface
+        ip link set up dev $interface
+        ;;
+      bound)
+        # this doesn't actually replace, it adds a new address.
+        set_address
+        ;;
+      renew)
+        set_address
+        ;;
+      nak)
+        echo "received NAK on $interface"
+        ;;
+    esac
+  '';
 in longrun {
  inherit name;
  run = "${busybox}/bin/udhcpc -f -i ${interface.device} -s ${script}";
--- a/pkgs/liminix-tools/services/default.nix
+++ b/pkgs/liminix-tools/services/default.nix
@ -5,13 +5,14 @@
 , busybox
 , callPackage
 , writeScript
+, serviceFns
 }:
 let
  inherit (builtins) concatStringsSep;
  output = service: name: "/run/service-state/${service.name}/${name}";
  serviceScript = commands : ''
    #!${busybox}/bin/sh
-    output() { cat $1/.outputs/$2; }
+    . ${serviceFns}
    ${commands}
  '';
  service = {