-
-
Notifications
You must be signed in to change notification settings - Fork 14k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[24.05] backport fcgiwrap instances fix for local privilege escalation issue #331465
[24.05] backport fcgiwrap instances fix for local privilege escalation issue #331465
Commits on Aug 2, 2024
-
nixos/fcgiwrap-instances: backport isolated multi-instance module
This backports the options `services.fcgiwrap.instances.*`, allowing to configure isolated instances of fcgiwrap, as an alternative to the global shared one. This prepares the deprecation of the latter. Backport of: commit efc7aeb nixos/fcgiwrap: require explicit owner for UNIX sockets commit 4f2da6c nixos/fcgiwrap: add option migration instruction errors (partial: move to instances) commit 51b246a nixos/fcgiwrap: do not run as root by default commit 81f7201 nixos/fcgiwrap: add unix socket owner, private by default commit 289c158 nixos/fcgiwrap: limit prefork type to positives commit 3955eaf nixos/fcgiwrap: improve readability of CLI args commit 022289f nixos/fcgiwrap: group options logically, fix doc commit 41419ca nixos/fcgiwrap: refactor for multiple instances
Configuration menu - View commit details
-
Copy full SHA for aaa0457 - Browse repository at this point
Copy the full SHA aaa0457View commit details -
nixos/fcgiwrap: add deprecation notice and security warning
This deprecates the use of the global shared instance of fcgiwrap, due to its security issues (running as root by default, actually insecure control socket, allowing local remote escalation privileges, with no fix due to the multiple consumers). A warning is added to encourage users to migrate to properly isolated instances (`services.fcgiwrap.instances.*`).
Configuration menu - View commit details
-
Copy full SHA for 0cb1143 - Browse repository at this point
Copy the full SHA 0cb1143View commit details -
nixos/smokeping: use isolated fcgiwrap instance
This makes the CGI part of smokeping run as the unprivileged "smokeping" user like the rest of the service (instead of root). This also sets proper permissions for the fcgiwrap control socket. Backport of: commit 4f2da6c nixos/fcgiwrap: add option migration instruction errors (partial: move to instances) commit c5dc3e2 nixos/fcgiwrap: adapt consumer modules and tests commit 8101ae4 nixos/fcgiwrap: adapt consumer modules and tests commit bf2ad6f nixos/fcgiwrap: adapt consumer modules and tests
Configuration menu - View commit details
-
Copy full SHA for 6a8e124 - Browse repository at this point
Copy the full SHA 6a8e124View commit details -
Configuration menu - View commit details
-
Copy full SHA for 483dd7e - Browse repository at this point
Copy the full SHA 483dd7eView commit details -
nixos/cgit: use isolated fcgiwrap instance, add user/group options
This adds options to set the users and groups as which cgit instances run, allowing the use of an unprivileged user instead of root. "root" is kept as the default user to avoid breaking existing setups, but a warning is shown in that case to alert the user. Backport of: commit 4f2da6c nixos/fcgiwrap: add option migration instruction errors (partial: move to instances) commit 3d10deb nixos/cgit: fix GIT_PROJECT_ROOT ownership commit 2d8626b nixos/cgit: configurable user instead of root commit c5dc3e2 nixos/fcgiwrap: adapt consumer modules and tests commit 8101ae4 nixos/fcgiwrap: adapt consumer modules and tests commit bf2ad6f nixos/fcgiwrap: adapt consumer modules and tests
Configuration menu - View commit details
-
Copy full SHA for 31cdff5 - Browse repository at this point
Copy the full SHA 31cdff5View commit details
Commits on Aug 8, 2024
-
nixos/fcgiwrap: fail eval with security assertion
This adds a security assertion when using the global instance of fcgiwrap, which is vulnerable to a local privilege escalation. This is in addition to the current evaluation warning, and is more in line with being loud with security issues, similarly to with vulnerable packages. The evaluation failure can nevertheless be bypassed by setting: `services.fcgiwrap.allowGlobalInstanceLocalPrivilegeEscalation = true`.
Configuration menu - View commit details
-
Copy full SHA for fee11ef - Browse repository at this point
Copy the full SHA fee11efView commit details
Commits on Aug 31, 2024
-
Configuration menu - View commit details
-
Copy full SHA for 8931f18 - Browse repository at this point
Copy the full SHA 8931f18View commit details