NNCP privilege management via s6-sudo

public inbox for nncp-devel@lists.stargrave.org
Atom feed

From: Emery Hemingway <emery@informatics•coop>
To: nncp-devel@lists.cypherpunks.su
Subject: NNCP privilege management via s6-sudo
Date: Mon, 16 Mar 2026 11:22:02 +0000	[thread overview]
Message-ID: <1773658265.uckri0tdp1.astroid@laptop.none> (raw)

Hi,

The discussion around the use or misuse of setuid motivated me to
configure NNCP as a s6-style local service.

https://skarnet.org/software/s6/localservice.html

I am pleased to report that it is possible and practical to invoke
nncp programs from one user, run the actual program as a different
user, and without granted either permissions to the configuration
file, and without setuid executables.

Assuming a regular user wants to run nncp-stat, nncp-stat is now
a script that sets NNCPCMD=nncp-stat in it's environment and calls
s6-sudo /nncp-socket. s6-sudo connects to /nncp-socket and passes
its stdio descriptors, arguments, and environment to that socket.

s6-ipc-server is bound to /nncp-socket and on every connection it
execs a script that checks the connecting user and group against
access rules and sets some environment variables and then execs
to s6-sudod which receives the caller arguments.

s6-sudod opens the configuration file and sets NNCPCFG=FD:….
Permissions are dropped to the nncp user, and the "nncp" command
is execd with its argv0 set to $NNCPCMD from the caller.

In this scheme it seems that the caller cannot access the NNCP
secret keys. nncp-cfgmin works and prints public keys, but
nncp-cfgdir does not because it does not use $NNCPCFG to locate
the configuration file, and is not running as a user that can
open the file containing secrets. There are no guarantees of
course and no one else has audited this setup.

I have a recipe to set this all up with Nix:
https://git.informatics.coop/nix/wciitpkgs/src/branch/trunk/pkgs/by-name/nncp/service.nix

The Nix service can be imported into NixOS or any other Nix OS that
implements modular services.

I was the maintainer of the NixOS module and no one has been
maintaining it since I was banned last year, so I would recommend
anyone using it to migrate to the module service. There is a little
bit of instructions here:
https://wiki.synit.informatics.coop/services/nncp

And instructions for loading the overlay here:
https://git.informatics.coop/nix/wciitpkgs/src/branch/trunk#readme

Cheers,
Emery

                 reply	other threads:[~2026-03-16 11:38 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed