public
/
nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos/yggdrasil: set directory permissions before writing keys 

Remove the opportunity for someone to read the keys in between when
they are written and when the chmod is done.  Addresses #121293.
This commit is contained in:
Gemini Lasswell 2021-05-06 17:14:03 -07:00 committed by ehmry
parent 468cb5980b
commit 28f51d7757
1 changed files with 2 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
nixos/modules/services/networking/yggdrasil.nix
View File

@ -64,7 +64,7 @@ in {
type = types.str; type = types.str;
default = "root"; default = "root";
example = "wheel"; example = "wheel";
description = "Group to grant acces to the Yggdrasil control socket."; description = "Group to grant access to the Yggdrasil control socket.";
}; };
openMulticastPort = mkOption { openMulticastPort = mkOption {
@ -122,12 +122,11 @@ in {
system.activationScripts.yggdrasil = mkIf cfg.persistentKeys '' system.activationScripts.yggdrasil = mkIf cfg.persistentKeys ''
if [ ! -e ${keysPath} ] if [ ! -e ${keysPath} ]
then then
mkdir -p ${builtins.dirOf keysPath} mkdir --mode=700 -p ${builtins.dirOf keysPath}
${binYggdrasil} -genconf -json \ ${binYggdrasil} -genconf -json \
| ${pkgs.jq}/bin/jq \ | ${pkgs.jq}/bin/jq \
'to_entries|map(select(.key|endswith("Key")))|from_entries' \ 'to_entries|map(select(.key|endswith("Key")))|from_entries' \
> ${keysPath} > ${keysPath}
chmod 600 ${keysPath}
fi fi
''; '';