nixos/kubo: give normal users access to the daemon by default

Fixes https://github.com/NixOS/nixpkgs/issues/223289.

This doesn't reduce the security in any way since it was already possible for normal users to do what I do here and create such a fake repo for themselves and set their $IPFS_PATH variable to it. It was and still is also possible to just use the --api CLI option.
This change just removes the manual setup that would otherwise be required.

We wouldn't need this workaround if https://github.com/ipfs/kubo/pull/9366 was merged but the fix seems to have been ignored upstream. Patching it ourselves seems like a bad idea since the patch has security implications.

1 files changed, 12 insertions, 1 deletions

diff --git a/nixos/tests/kubo.nix b/nixos/tests/kubo.nix
index e0bd918150ac5..dfe653b5d2717 100644
--- a/nixos/tests/kubo.nix
+++ b/nixos/tests/kubo.nix
@@ -12,6 +12,9 @@
       settings.Addresses.API = "/ip4/127.0.0.1/tcp/2324";
       dataDir = "/mnt/ipfs";
     };
+    users.users.alice = {
+      isNormalUser = true;
+    };
   };
 
   nodes.fuse = { ... }: {
@@ -25,6 +28,14 @@
   testScript = ''
     start_all()
 
+    with subtest("Automatic socket activation"):
+        ipfs_hash = machine.succeed(
+            "echo fnord0 | su alice -l -c 'ipfs add --quieter'"
+        )
+        machine.succeed(f"ipfs cat /ipfs/{ipfs_hash.strip()} | grep fnord0")
+
+    machine.stop_job("ipfs")
+
     with subtest("IPv4 socket activation"):
         machine.succeed("ipfs --api /ip4/127.0.0.1/tcp/2324 id")
         ipfs_hash = machine.succeed(
@@ -51,7 +62,7 @@
         # See https://github.com/ipfs/kubo/issues/9044.
         # Workaround: using CID Version 1 avoids that.
         ipfs_hash = fuse.succeed(
-            "echo fnord3 | ipfs --api /ip4/127.0.0.1/tcp/2324 add --quieter --cid-version=1"
+            "echo fnord3 | ipfs add --quieter --cid-version=1"
         ).strip()
 
         fuse.succeed(f"cat /ipfs/{ipfs_hash} | grep fnord3")