From 59ce03630a5f8c52b35c49ac4f98b9d7dd9735a8 Mon Sep 17 00:00:00 2001
From: Daniel Barlow <dan@telent.net>
Date: Sat, 25 Feb 2023 22:53:06 +0000
Subject: [PATCH] consistent ownership/permissions for /run/service-state/**

---
 modules/base.nix                          |  3 ++
 modules/s6/scripts/rc.init                |  3 ++
 overlay.nix                               | 10 +++++
 pkgs/liminix-tools/networking/dnsmasq.nix |  4 +-
 pkgs/liminix-tools/networking/pppoe.nix   | 20 ++++-----
 pkgs/liminix-tools/networking/udhcpc.nix  | 52 +++++++++++------------
 pkgs/liminix-tools/services/default.nix   |  3 +-
 7 files changed, 57 insertions(+), 38 deletions(-)

diff --git a/modules/base.nix b/modules/base.nix
index 377adca..a1c2e0b 100644
--- a/modules/base.nix
+++ b/modules/base.nix
@@ -121,6 +121,9 @@ in {
       root = {
         gid = 0; usernames = ["root"];
       };
+      system = {
+        gid = 1; usernames = ["root"];
+      };
     };
 
     filesystem = dir {
diff --git a/modules/s6/scripts/rc.init b/modules/s6/scripts/rc.init
index 8d43699..7a23881 100755
--- a/modules/s6/scripts/rc.init
+++ b/modules/s6/scripts/rc.init
@@ -18,6 +18,9 @@ shift
 mount -t proc none /proc
 mount -t sysfs none /sys
 
+mkdir -m 0750 /run/service-state
+chgrp system /run/service-state
+
 ### If your services are managed by s6-rc:
 ### (replace /run/service with your scandir)
 s6-rc-init /run/service -d -c /etc/s6-rc/compiled
diff --git a/overlay.nix b/overlay.nix
index ae95f18..a77dcbf 100644
--- a/overlay.nix
+++ b/overlay.nix
@@ -89,6 +89,16 @@ final: prev: {
   netlink-lua = final.callPackage ./pkgs/netlink-lua {};
   waitup = final.callPackage ./pkgs/waitup {};
 
+  serviceFns = final.writeText "service-fns.sh" ''
+    output() { cat $1/.outputs/$2; }
+    output_path() { echo $(realpath $1/.outputs)/$2; }
+    mkoutputs() {
+      d=/run/service-state/$1
+      mkdir -m 2750 -p $d && chown root:system $d
+      echo $d
+    }
+  '';
+
   # these are packages for the build system not the host/target
 
   tufted = final.callPackage ./pkgs/tufted {};
diff --git a/pkgs/liminix-tools/networking/dnsmasq.nix b/pkgs/liminix-tools/networking/dnsmasq.nix
index a7c3403..8c98ab2 100644
--- a/pkgs/liminix-tools/networking/dnsmasq.nix
+++ b/pkgs/liminix-tools/networking/dnsmasq.nix
@@ -1,11 +1,12 @@
 {
   liminix
 , dnsmasq
+, serviceFns
 , lib
 }:
 {
   user ? "dnsmasq"
-, group ? "dnsmasq"
+, group ? "system"
 , interface
 , upstreams ? []
 , ranges
@@ -19,6 +20,7 @@ in longrun {
   inherit name;
   dependencies = [ interface ];
   run = ''
+    . ${serviceFns}
     ${dnsmasq}/bin/dnsmasq \
     --user=${user} \
     --domain=${domain} \
diff --git a/pkgs/liminix-tools/networking/pppoe.nix b/pkgs/liminix-tools/networking/pppoe.nix
index 1b26671..e2aaac9 100644
--- a/pkgs/liminix-tools/networking/pppoe.nix
+++ b/pkgs/liminix-tools/networking/pppoe.nix
@@ -5,6 +5,7 @@
 , ppp
 , pppoe
 , writeAshScript
+, serviceFns
 } :
 let
   inherit (liminix.services) longrun;
@@ -17,16 +18,15 @@ interface: {
 let
   name = "${interface.device}.pppoe";
   ip-up = writeAshScript "ip-up" {} ''
-    outputs=/run/service-state/${name}/
-    mkdir -p $outputs
-    (cd $outputs
-    echo $1 > ifname
-    echo $2 > tty
-    echo $3 > speed
-    echo $4 > address
-    echo $5 > peer-address
-    echo $DNS1 > ns1
-    echo $DNS1 > ns2
+    . ${serviceFns} 
+    (cd $(mkoutputs ${name}); umask 0027
+     echo $1 > ifname
+     echo $2 > tty
+     echo $3 > speed
+     echo $4 > address
+     echo $5 > peer-address
+     echo $DNS1 > ns1
+     echo $DNS2 > ns2
     )
     echo >/proc/self/fd/10
   '';
diff --git a/pkgs/liminix-tools/networking/udhcpc.nix b/pkgs/liminix-tools/networking/udhcpc.nix
index d16a101..a68aa25 100644
--- a/pkgs/liminix-tools/networking/udhcpc.nix
+++ b/pkgs/liminix-tools/networking/udhcpc.nix
@@ -10,33 +10,33 @@ interface: { ... } @ args:
 let
   name = "${interface.device}.udhcp";
   script = writeShellScript "udhcp-notify" ''
-action=$1
+    . ${serviceFns}
+    action=$1
 
-set_address() {
-    ip address replace $ip/$mask dev $interface
-    dir=/run/service-state/${name}/
-    mkdir -p $dir
-    for i in lease mask ip router siaddr dns serverid subnet opt53 interface ; do
-        echo ''${!i} > $dir/$i
-    done
-}
-case $action in
-  deconfig)
-    ip address flush $interface
-    ip link set up dev $interface
-    ;;
-  bound)
-    # this doesn't actually replace, it adds a new address.
-    set_address
-    ;;
-  renew)
-    set_address
-    ;;
-  nak)
-    echo "received NAK on $interface"
-    ;;
-esac
-'';
+    set_address() {
+        ip address replace $ip/$mask dev $interface
+        (cd $(mkoutputs ${name}); umask 0027
+         for i in lease mask ip router siaddr dns serverid subnet opt53 interface ; do
+            echo ''${!i} > $i
+         done)
+    }
+    case $action in
+      deconfig)
+        ip address flush $interface
+        ip link set up dev $interface
+        ;;
+      bound)
+        # this doesn't actually replace, it adds a new address.
+        set_address
+        ;;
+      renew)
+        set_address
+        ;;
+      nak)
+        echo "received NAK on $interface"
+        ;;
+    esac
+  '';
 in longrun {
   inherit name;
   run = "${busybox}/bin/udhcpc -f -i ${interface.device} -s ${script}";
diff --git a/pkgs/liminix-tools/services/default.nix b/pkgs/liminix-tools/services/default.nix
index bbff407..89eb5af 100644
--- a/pkgs/liminix-tools/services/default.nix
+++ b/pkgs/liminix-tools/services/default.nix
@@ -5,13 +5,14 @@
 , busybox
 , callPackage
 , writeScript
+, serviceFns
 }:
 let
   inherit (builtins) concatStringsSep;
   output = service: name: "/run/service-state/${service.name}/${name}";
   serviceScript = commands : ''
     #!${busybox}/bin/sh
-    output() { cat $1/.outputs/$2; }
+    . ${serviceFns}
     ${commands}
   '';
   service = {