[24.05] backport fcgiwrap instances fix for local privilege escalation issue #331465
Commits on Aug 2, 2024
-
nixos/fcgiwrap-instances: backport isolated multi-instance module
This backports the options `services.fcgiwrap.instances.*`, allowing to configure isolated instances of fcgiwrap, as an alternative to the global shared one. This prepares the deprecation of the latter. Backport of: commit efc7aeb nixos/fcgiwrap: require explicit owner for UNIX sockets commit 4f2da6c nixos/fcgiwrap: add option migration instruction errors (partial: move to instances) commit 51b246a nixos/fcgiwrap: do not run as root by default commit 81f7201 nixos/fcgiwrap: add unix socket owner, private by default commit 289c158 nixos/fcgiwrap: limit prefork type to positives commit 3955eaf nixos/fcgiwrap: improve readability of CLI args commit 022289f nixos/fcgiwrap: group options logically, fix doc commit 41419ca nixos/fcgiwrap: refactor for multiple instances
-
nixos/fcgiwrap: add deprecation notice and security warning
This deprecates the use of the global shared instance of fcgiwrap, due to its security issues (running as root by default, actually insecure control socket, allowing local remote escalation privileges, with no fix due to the multiple consumers). A warning is added to encourage users to migrate to properly isolated instances (`services.fcgiwrap.instances.*`).
-
nixos/smokeping: use isolated fcgiwrap instance
This makes the CGI part of smokeping run as the unprivileged "smokeping" user like the rest of the service (instead of root). This also sets proper permissions for the fcgiwrap control socket. Backport of: commit 4f2da6c nixos/fcgiwrap: add option migration instruction errors (partial: move to instances) commit c5dc3e2 nixos/fcgiwrap: adapt consumer modules and tests commit 8101ae4 nixos/fcgiwrap: adapt consumer modules and tests commit bf2ad6f nixos/fcgiwrap: adapt consumer modules and tests
-
-
nixos/cgit: use isolated fcgiwrap instance, add user/group options
This adds options to set the users and groups as which cgit instances run, allowing the use of an unprivileged user instead of root. "root" is kept as the default user to avoid breaking existing setups, but a warning is shown in that case to alert the user. Backport of: commit 4f2da6c nixos/fcgiwrap: add option migration instruction errors (partial: move to instances) commit 3d10deb nixos/cgit: fix GIT_PROJECT_ROOT ownership commit 2d8626b nixos/cgit: configurable user instead of root commit c5dc3e2 nixos/fcgiwrap: adapt consumer modules and tests commit 8101ae4 nixos/fcgiwrap: adapt consumer modules and tests commit bf2ad6f nixos/fcgiwrap: adapt consumer modules and tests
Commits on Aug 8, 2024
-
nixos/fcgiwrap: fail eval with security assertion
This adds a security assertion when using the global instance of fcgiwrap, which is vulnerable to a local privilege escalation. This is in addition to the current evaluation warning, and is more in line with being loud with security issues, similarly to with vulnerable packages. The evaluation failure can nevertheless be bypassed by setting: `services.fcgiwrap.allowGlobalInstanceLocalPrivilegeEscalation = true`.
Commits on Aug 31, 2024
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.