From 8309368e4c29d0ffa954dde669db7f1a17fcd374 Mon Sep 17 00:00:00 2001 From: talyz Date: Tue, 4 May 2021 17:12:45 +0200 Subject: [PATCH] nixos/keycloak: Set umask before copying sensitive files `install` copies the files before setting their mode, so there could be a breif window where the secrets are readable by other users without a strict umask. --- nixos/modules/services/web-apps/keycloak.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/nixos/modules/services/web-apps/keycloak.nix b/nixos/modules/services/web-apps/keycloak.nix index 4d4c5f871a6..73ab8e4de97 100644 --- a/nixos/modules/services/web-apps/keycloak.nix +++ b/nixos/modules/services/web-apps/keycloak.nix @@ -652,6 +652,8 @@ in set -o errexit -o pipefail -o nounset -o errtrace shopt -s inherit_errexit + umask u=rwx,g=,o= + install -T -m 0400 -o keycloak -g keycloak '${cfg.databasePasswordFile}' /run/keycloak/secrets/db_password '' + lib.optionalString (cfg.certificatePrivateKeyBundle != null) '' install -T -m 0400 -o keycloak -g keycloak '${cfg.certificatePrivateKeyBundle}' /run/keycloak/secrets/ssl_cert_pk_bundle @@ -660,6 +662,8 @@ in set -o errexit -o pipefail -o nounset -o errtrace shopt -s inherit_errexit + umask u=rwx,g=,o= + install -m 0600 ${cfg.package}/standalone/configuration/*.properties /run/keycloak/configuration install -T -m 0600 ${keycloakConfig} /run/keycloak/configuration/standalone.xml