From 4ab5646417e3cc606281f71027c12ddced8b65b4 Mon Sep 17 00:00:00 2001 From: Shea Levy Date: Tue, 11 Feb 2014 07:00:10 -0500 Subject: [PATCH] Add a keys group with read access to /run/keys This allows processes running as unprivileged users access to keys they might need --- nixos/modules/misc/ids.nix | 1 + nixos/modules/system/boot/stage-2-init.sh | 3 ++- nixos/modules/system/boot/systemd.nix | 2 ++ 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index 51da1a2cfce..5f8111eb986 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -201,6 +201,7 @@ openldap = 93; connman = 94; munin = 95; + keys = 96; # When adding a gid, make sure it doesn't match an existing uid. diff --git a/nixos/modules/system/boot/stage-2-init.sh b/nixos/modules/system/boot/stage-2-init.sh index e0ff258c0ee..b749172a3ff 100644 --- a/nixos/modules/system/boot/stage-2-init.sh +++ b/nixos/modules/system/boot/stage-2-init.sh @@ -136,7 +136,8 @@ fi # elsehwere) if ! mountpoint -q /run/keys; then rm -rf /run/keys - mkdir -m 0700 /run/keys + mkdir -m 0750 /run/keys + chown root:keys /run/keys mount -t ramfs none /run/keys fi diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index b575deb24b7..e0773c1fab4 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -645,6 +645,8 @@ in ''; # Target for ‘charon send-keys’ to hook into. + users.extraGroups.keys.gid = config.ids.gids.keys; + systemd.targets.keys = { description = "Security Keys"; };