Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nixos/darkhttpd: change listening address default to ::1 #353402

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

nixos/darkhttpd: change listening address default to ::1 #353402

wants to merge 2 commits into from

Conversation

vojta001
Copy link
Contributor

@vojta001 vojta001 commented Nov 3, 2024

We unconditionally pass --ipv6 to the binary. In older versions, setting both --addr 127.0.0.1 and --ipv6 resulted in listening on [::], a potential security issue. On the other hand, the binary started.

With the current version however, --ipv6 implies an IPv6 address in --addr resulting in a crash with: "darkhttpd: malformed --addr argument"

While this commit is technically a BC-break, it should be harmless as existing users either do not explicitly set the address and the server refuses the start (making this change rather a fix) or they set the address and are therefore unaffected.

The above excerpt from the commit message shall summarize the changes well. I just want to add that the this is not a BC-break, this is a bug fix shall qualify it for merging despite the freeze in #339153.

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 24.11 Release Notes (or backporting 23.11 and 24.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

Add a 👍 reaction to pull requests you find important.

@vojta001
nixos/darkhttpd: change listening address default to ::1
abdadde 
We unconditionally pass --ipv6 to the binary. In older versions, setting
both --addr 127.0.0.1 and --ipv6 resulted in listening on [::],
a potential security issue. On the other hand, the binary started.

With the current version however, --ipv6 implies an IPv6 address in
--addr resulting in a crash with: "darkhttpd: malformed --addr argument"

While this commit is technically a BC-break, it should be harmless as
existing users either do not explicitly set the address and the server
refuses the start (making this change rather a fix) or they set the
address and are therefore unaffected.
@github-actions github-actions bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` labels Nov 3, 2024
patka-123
patka-123 approved these changes Nov 3, 2024
View reviewed changes
Copy link
Contributor

@patka-123 patka-123 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense and LGTM!

@vojta001
nixos/darkhttpd: fix comment on how to listen on all interfaces
a3c7995 
This does not seem to have ever been intended, it was probably caused by
the same parsing issue as described in commit abdadde

Listening on [::] makes darkhttpd see IPv4 connections under ::ffff:a.b.c.d
bobvanderlinden
bobvanderlinden approved these changes Nov 3, 2024
View reviewed changes
Copy link
Member

@bobvanderlinden bobvanderlinden left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense as a fix for the most common behavior (ipv6 enabled).

Machines without ipv6 do currently work correct? The PR change will break such setups with a default binding?

It seems the default should ideally be dependent on the enableipv6 option?

@wegank wegank added the 12.approvals: 2 This PR was reviewed and approved by two reputable people label Nov 3, 2024
@ofborg ofborg bot added 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 1-10 labels Nov 4, 2024
@wegank wegank added 12.approvals: 3+ This PR was reviewed and approved by three or more reputable people and removed 12.approvals: 2 This PR was reviewed and approved by two reputable people labels Nov 19, 2024
SuperSandro2000
SuperSandro2000 reviewed Nov 19, 2024
View reviewed changes
nixos/modules/services/web-servers/darkhttpd.nix
@@ -27,11 +27,11 @@ in {
};

address = mkOption {
default = "127.0.0.1";
default = "::1";
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
default = "::1";
default = if config.networking.enableIPv6 then "::1" else "127.0.0.1";
defaultText = lib.literalExpresison ''if config.networking.enableIPv6 then "::1" else "127.0.0.1"'';

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Then we would also have to adjust:

We unconditionally pass --ipv6 to the binary

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤔 probably, I am unsure

@wegank wegank added 12.approvals: 2 This PR was reviewed and approved by two reputable people and removed 12.approvals: 3+ This PR was reviewed and approved by three or more reputable people labels Nov 20, 2024
@vojta001
Copy link
Contributor Author

@bobvanderlinden @SuperSandro2000 Oh I completely forgot about machines without IPv6. In such a case I don't think we should detect IPv6 status by the config.networking.enableIPv6 option. It's good for setting defaults, but not for deciding the flag --ipv6 as it makes the binary crash in case you disable IPv6 via other means (I can think of toggling some systemd options for this unit only).

I therefore propose to add another config options for darkhttpd to decide whether to enable IPv6 support. It would default to config.networking.enableIPv6 and control the other stuff discussed here

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@FliegendeWurst FliegendeWurst FliegendeWurst approved these changes

@SuperSandro2000 SuperSandro2000 SuperSandro2000 left review comments

@patka-123 patka-123 patka-123 approved these changes

@bobvanderlinden bobvanderlinden bobvanderlinden approved these changes

Assignees
No one assigned
Labels
6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 1-10 12.approvals: 2 This PR was reviewed and approved by two reputable people
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@vojta001 @bobvanderlinden @SuperSandro2000 @FliegendeWurst @patka-123 @wegank