public
/
nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos/keycloak: Set umask before copying sensitive files 

`install` copies the files before setting their mode, so there could
be a breif window where the secrets are readable by other users
without a strict umask.
This commit is contained in:
talyz 2021-05-04 17:12:45 +02:00
parent c2bebf4ee2
commit 8309368e4c
No known key found for this signature in database
GPG Key ID: 2DED2151F4671A2B
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
nixos/modules/services/web-apps/keycloak.nix
View File

@ -652,6 +652,8 @@ in
set -o errexit -o pipefail -o nounset -o errtrace
shopt -s inherit_errexit
umask u=rwx,g=,o=
install -T -m 0400 -o keycloak -g keycloak '${cfg.databasePasswordFile}' /run/keycloak/secrets/db_password
'' + lib.optionalString (cfg.certificatePrivateKeyBundle != null) ''
install -T -m 0400 -o keycloak -g keycloak '${cfg.certificatePrivateKeyBundle}' /run/keycloak/secrets/ssl_cert_pk_bundle
@ -660,6 +662,8 @@ in
set -o errexit -o pipefail -o nounset -o errtrace
shopt -s inherit_errexit
umask u=rwx,g=,o=
install -m 0600 ${cfg.package}/standalone/configuration/*.properties /run/keycloak/configuration
install -T -m 0600 ${keycloakConfig} /run/keycloak/configuration/standalone.xml