cmd/sharefs: group-accessible permission bits

This works around the race in vfs via supplementary group. Signed-off-by: Ophestra <cat@gensokyo.uk>
2026-04-08 16:14:47 +09:00
parent 351d6c5a35
commit b0ba165107
3 changed files with 31 additions and 22 deletions
--- a/test/interactive/configuration.nix
+++ b/test/interactive/configuration.nix
@@ -8,7 +8,10 @@
      description = "Alice Foobar";
      password = "foobar";
      uid = 1000;
-      extraGroups = [ "wheel" ];
+      extraGroups = [
+        "wheel"
+        "sharefs"
+      ];
    };
    untrusted = {
      isNormalUser = true;
--- a/test/interactive/raceattr.nix
+++ b/test/interactive/raceattr.nix
@@ -1,24 +1,30 @@
 { lib, pkgs, ... }:
-let
-  inherit (pkgs) buildGoModule;
-in
 {
-  environment.systemPackages = [
-    (buildGoModule rec {
-      name = "raceattr";
-      pname = name;
-      tags = [ "raceattr" ];
+  security.wrappers.raceattr =
+    let
+      inherit (pkgs) buildGoModule;
+    in
+    {
+      setuid = true;
+      owner = "root";
+      group = "root";
+      source = "${
+        (buildGoModule rec {
+          name = "raceattr";
+          pname = name;
+          tags = [ "raceattr" ];

-      src = builtins.path {
-        name = "${pname}-src";
-        path = lib.cleanSource ../../cmd/sharefs/test;
-        filter = path: type: (type == "directory") || (type == "regular" && lib.hasSuffix ".go" path);
-      };
-      vendorHash = null;
+          src = builtins.path {
+            name = "${pname}-src";
+            path = lib.cleanSource ../../cmd/sharefs/test;
+            filter = path: type: (type == "directory") || (type == "regular" && lib.hasSuffix ".go" path);
+          };
+          vendorHash = null;

-      preBuild = ''
-        go mod init hakurei.app/raceattr >& /dev/null
-      '';
-    })
-  ];
+          preBuild = ''
+            go mod init hakurei.app/raceattr >& /dev/null
+          '';
+        })
+      }/bin/raceattr";
+    };
 }