nixos/fcgiwrap: fail eval with security assertion

This adds a security assertion when using the global instance of fcgiwrap, which is vulnerable to a local privilege escalation. This is in addition to the current evaluation warning, and is more in line with being loud with security issues, similarly to with vulnerable packages. The evaluation failure can nevertheless be bypassed by setting: `services.fcgiwrap.allowGlobalInstanceLocalPrivilegeEscalation = true`.
NixOS · Aug 8, 2024 · fee11ef · fee11ef
1 parent 31cdff5
commit fee11ef
Showing 1 changed file with 27 additions and 7 deletions.
diff --git a/nixos/modules/services/web-servers/fcgiwrap.nix b/nixos/modules/services/web-servers/fcgiwrap.nix
@@ -9,6 +9,12 @@ let
     This global instance option is deprecated in favour of per-instance
     options configured through `services.fcgiwrap.instances.*`.
   '';
+  securityWarning = ''
+    The fcgiwrap module is configured with a global shared instance.
+    This has security implications: <TODO: advisory link>.
+    Isolated instances should instead be configured through `services.fcgiwrap.instances.*'.
+    The global options at `services.fcgiwrap.*` will be removed in NixOS 24.11.
+  '';
 
 in {
 
@@ -20,6 +26,17 @@ in {
         description = "Whether to enable fcgiwrap, a server for running CGI applications over FastCGI." + deprecationNote;
       };
 
+      allowGlobalInstanceLocalPrivilegeEscalation = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          The global instance of fcgiwrap configured through this module
+          has a local privilege escalation vulnerability.
+          Set this option to true to accept the risk and bypass the evaluation
+          failure regardless.
+        '';
+      };
+
       preforkProcesses = mkOption {
         type = types.int;
         default = 1;
@@ -54,15 +71,18 @@ in {
   };
 
   config = mkIf cfg.enable {
-    warnings = [
-      ''
-        The fcgiwrap module is configured with a global shared instance.
-        This has security implications: <TODO: advisory link>.
-        Isolated instances should instead be configured through `services.fcgiwrap.instances.*'.
-        The global options at `services.fcgiwrap.*` will be removed in NixOS 24.11.
-      ''
+    assertions = [
+      {
+        assertion = cfg.allowGlobalInstanceLocalPrivilegeEscalation;
+        message = securityWarning + ''
+          To temporarily accept the risk and continue using the global instance,
+          set `services.fcgiwrap.allowGlobalInstanceLocalPrivilegeEscalation` to true.
+        '';
+      }
     ];
 
+    warnings = [ securityWarning ];
+
     systemd.services.fcgiwrap = {
       after = [ "nss-user-lookup.target" ];
       wantedBy = optional (cfg.socketType != "unix") "multi-user.target";