NNCP privilege management via s6-sudo

public inbox for nncp-devel@lists.stargrave.org
Atom feed

* NNCP privilege management via s6-sudo
@ 2026-03-16 11:22 Emery Hemingway
  0 siblings, 0 replies; only message in thread
From: Emery Hemingway @ 2026-03-16 11:22 UTC (permalink / raw)
  To: nncp-devel

Hi,

The discussion around the use or misuse of setuid motivated me to
configure NNCP as a s6-style local service.

https://skarnet.org/software/s6/localservice.html

I am pleased to report that it is possible and practical to invoke
nncp programs from one user, run the actual program as a different
user, and without granted either permissions to the configuration
file, and without setuid executables.

Assuming a regular user wants to run nncp-stat, nncp-stat is now
a script that sets NNCPCMD=nncp-stat in it's environment and calls
s6-sudo /nncp-socket. s6-sudo connects to /nncp-socket and passes
its stdio descriptors, arguments, and environment to that socket.

s6-ipc-server is bound to /nncp-socket and on every connection it
execs a script that checks the connecting user and group against
access rules and sets some environment variables and then execs
to s6-sudod which receives the caller arguments.

s6-sudod opens the configuration file and sets NNCPCFG=FD:….
Permissions are dropped to the nncp user, and the "nncp" command
is execd with its argv0 set to $NNCPCMD from the caller.

In this scheme it seems that the caller cannot access the NNCP
secret keys. nncp-cfgmin works and prints public keys, but
nncp-cfgdir does not because it does not use $NNCPCFG to locate
the configuration file, and is not running as a user that can
open the file containing secrets. There are no guarantees of
course and no one else has audited this setup.

I have a recipe to set this all up with Nix:
https://git.informatics.coop/nix/wciitpkgs/src/branch/trunk/pkgs/by-name/nncp/service.nix

The Nix service can be imported into NixOS or any other Nix OS that
implements modular services.

I was the maintainer of the NixOS module and no one has been
maintaining it since I was banned last year, so I would recommend
anyone using it to migrate to the module service. There is a little
bit of instructions here:
https://wiki.synit.informatics.coop/services/nncp

And instructions for loading the overlay here:
https://git.informatics.coop/nix/wciitpkgs/src/branch/trunk#readme

Cheers,
Emery

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2026-03-16 11:38 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-03-16 11:22 NNCP privilege management via s6-sudo Emery Hemingway