Merge pull request #121294 from nh2/issue-121288-wireguard-fix-chmod-race

wireguard module: generatePrivateKeyFile: Fix chmod security race

nixos/doc/manual/release-notes/rl-2105.xml

@@ -333,6 +333,17 @@
       <literal>vim</literal> and <literal>neovim</literal> switched to Python 3, dropping all Python 2 support.
     </para>
    </listitem>
+   <listitem>
+    <para>
+     <link linkend="opt-networking.wireguard.interfaces">networking.wireguard.interfaces.&lt;name&gt;.generatePrivateKeyFile</link>,
+     which is off by default, had a <literal>chmod</literal> race condition
+     fixed. As an aside, the parent directory's permissions were widened,
+     and the key files were made owner-writable.
+     This only affects newly created keys.
+     However, if the exact permissions are important for your setup, read
+     <link xlink:href="https://github.com/NixOS/nixpkgs/pull/121294">#121294</link>.
+    </para>
+   </listitem>
    <listitem>
      <para>
       <link linkend="opt-boot.zfs.forceImportAll">boot.zfs.forceImportAll</link>

nixos/modules/services/networking/wireguard.nix

@@ -246,12 +246,15 @@ let
         };
 
         script = ''
-          mkdir --mode 0644 -p "${dirOf values.privateKeyFile}"
+          set -e
+
+          # If the parent dir does not already exist, create it.
+          # Otherwise, does nothing, keeping existing permisions intact.
+          mkdir -p --mode 0755 "${dirOf values.privateKeyFile}"
+
           if [ ! -f "${values.privateKeyFile}" ]; then
-            touch "${values.privateKeyFile}"
+            # Write private key file with atomically-correct permissions.
-            chmod 0600 "${values.privateKeyFile}"
+            (set -e; umask 077; wg genkey > "${values.privateKeyFile}")
-            wg genkey > "${values.privateKeyFile}"
-            chmod 0400 "${values.privateKeyFile}"
           fi
         '';
       };