From c192fd5d4ccc064478a1be1c12bd36f29d1d6208 Mon Sep 17 00:00:00 2001 From: Lucas Savva Date: Wed, 5 May 2021 00:27:19 +0100 Subject: [PATCH 1/4] nixos/acme: Ensure certs are always protected As per #121293, I ensured the UMask is set correctly and removed any unnecessary chmod/chown/chgrp commands. The test suite already partially covered permissions checking but I added an extra check for the selfsigned cert permissions. (cherry picked from commit 083aba4f83b105c30a1386bdb214cb6c85e119e6) --- nixos/modules/security/acme.nix | 16 ++++++++++------ nixos/tests/acme.nix | 24 +++++++++++++++++------- 2 files changed, 27 insertions(+), 13 deletions(-) diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix index c0250171109..22bf34198a3 100644 --- a/nixos/modules/security/acme.nix +++ b/nixos/modules/security/acme.nix @@ -46,6 +46,7 @@ let serviceConfig = commonServiceConfig // { StateDirectory = "acme/.minica"; BindPaths = "/var/lib/acme/.minica:/tmp/ca"; + UMask = 0077; }; # Working directory will be /tmp @@ -54,8 +55,6 @@ let --ca-key ca/key.pem \ --ca-cert ca/cert.pem \ --domains selfsigned.local - - chmod 600 ca/* ''; }; @@ -196,6 +195,7 @@ let serviceConfig = commonServiceConfig // { Group = data.group; + UMask = 0027; StateDirectory = "acme/${cert}"; @@ -220,10 +220,12 @@ let cat cert.pem chain.pem > fullchain.pem cat key.pem fullchain.pem > full.pem - chmod 640 * - # Group might change between runs, re-apply it chown 'acme:${data.group}' * + + # Default permissions make the files unreadable by group + anon + # Need to be readable by group + chmod 640 * ''; }; @@ -340,8 +342,6 @@ let fi mv domainhash.txt certificates/ - chmod 640 certificates/* - chmod -R u=rwX,g=,o= accounts/* # Group might change between runs, re-apply it chown 'acme:${data.group}' certificates/* @@ -357,6 +357,10 @@ let ln -sf fullchain.pem out/cert.pem cat out/key.pem out/fullchain.pem > out/full.pem fi + + # By default group will have no access to the cert files. + # This chmod will fix that. + chmod 640 out/* ''; }; }; diff --git a/nixos/tests/acme.nix b/nixos/tests/acme.nix index fe8c4af3ea2..6532fc4ac1d 100644 --- a/nixos/tests/acme.nix +++ b/nixos/tests/acme.nix @@ -330,30 +330,38 @@ in import ./make-test-python.nix ({ lib, ... }: { with subtest("Can request certificate with HTTPS-01 challenge"): webserver.wait_for_unit("acme-finished-a.example.test.target") - check_fullchain(webserver, "a.example.test") - check_issuer(webserver, "a.example.test", "pebble") - check_connection(client, "a.example.test") with subtest("Certificates and accounts have safe + valid permissions"): group = "${nodes.webserver.config.security.acme.certs."a.example.test".group}" webserver.succeed( - f"test $(stat -L -c \"%a %U %G\" /var/lib/acme/a.example.test/* | tee /dev/stderr | grep '640 acme {group}' | wc -l) -eq 5" + f"test $(stat -L -c '%a %U %G' /var/lib/acme/a.example.test/*.pem | tee /dev/stderr | grep '640 acme {group}' | wc -l) -eq 5" ) webserver.succeed( - f"test $(stat -L -c \"%a %U %G\" /var/lib/acme/.lego/a.example.test/**/* | tee /dev/stderr | grep '640 acme {group}' | wc -l) -eq 5" + f"test $(stat -L -c '%a %U %G' /var/lib/acme/.lego/a.example.test/**/a.example.test* | tee /dev/stderr | grep '600 acme {group}' | wc -l) -eq 4" ) webserver.succeed( - f"test $(stat -L -c \"%a %U %G\" /var/lib/acme/a.example.test | tee /dev/stderr | grep '750 acme {group}' | wc -l) -eq 1" + f"test $(stat -L -c '%a %U %G' /var/lib/acme/a.example.test | tee /dev/stderr | grep '750 acme {group}' | wc -l) -eq 1" ) webserver.succeed( - f"test $(find /var/lib/acme/accounts -type f -exec stat -L -c \"%a %U %G\" {{}} \\; | tee /dev/stderr | grep -v '600 acme {group}' | wc -l) -eq 0" + f"test $(find /var/lib/acme/accounts -type f -exec stat -L -c '%a %U %G' {{}} \\; | tee /dev/stderr | grep -v '600 acme {group}' | wc -l) -eq 0" ) + with subtest("Certs are accepted by web server"): + webserver.succeed("systemctl start nginx.service") + check_fullchain(webserver, "a.example.test") + check_issuer(webserver, "a.example.test", "pebble") + check_connection(client, "a.example.test") + + # Selfsigned certs tests happen late so we aren't fighting the system init triggering cert renewal with subtest("Can generate valid selfsigned certs"): webserver.succeed("systemctl clean acme-a.example.test.service --what=state") webserver.succeed("systemctl start acme-selfsigned-a.example.test.service") check_fullchain(webserver, "a.example.test") check_issuer(webserver, "a.example.test", "minica") + # Check selfsigned permissions + webserver.succeed( + f"test $(stat -L -c '%a %U %G' /var/lib/acme/a.example.test/*.pem | tee /dev/stderr | grep '640 acme {group}' | wc -l) -eq 5" + ) # Will succeed if nginx can load the certs webserver.succeed("systemctl start nginx-config-reload.service") @@ -376,6 +384,8 @@ in import ./make-test-python.nix ({ lib, ... }: { webserver.wait_for_unit("acme-finished-a.example.test.target") check_connection_key_bits(client, "a.example.test", "384") webserver.succeed("grep testing /var/lib/acme/a.example.test/test") + # Clean to remove the testing file (and anything else messy we did) + webserver.succeed("systemctl clean acme-a.example.test.service --what=state") with subtest("Correctly implements OCSP stapling"): switch_to(webserver, "ocsp-stapling") From 192a522abb5eae28d426d43565f8011e91f93b50 Mon Sep 17 00:00:00 2001 From: Robert Scott Date: Sun, 8 Aug 2021 15:45:51 +0100 Subject: [PATCH 2/4] wolfssl: add patches for CVE-2021-37155 --- pkgs/development/libraries/wolfssl/default.nix | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/pkgs/development/libraries/wolfssl/default.nix b/pkgs/development/libraries/wolfssl/default.nix index 4635a80152d..9f8c2b3f290 100644 --- a/pkgs/development/libraries/wolfssl/default.nix +++ b/pkgs/development/libraries/wolfssl/default.nix @@ -1,4 +1,4 @@ -{ lib, stdenv, fetchFromGitHub, autoreconfHook }: +{ lib, stdenv, fetchFromGitHub, fetchpatch, autoreconfHook }: stdenv.mkDerivation rec { pname = "wolfssl"; @@ -11,6 +11,19 @@ stdenv.mkDerivation rec { sha256 = "1aa51j0xnhi49izc8djya68l70jkjv25559pgybfb9sa4fa4gz97"; }; + patches = [ + (fetchpatch { + name = "CVE-2021-37155.part-1.patch"; + url = "https://github.com/wolfSSL/wolfssl/commit/73076940af8904f98eee085994c176fe1876b95a.patch"; + sha256 = "1fdg6c49njhxn6yljpqrhrv2s6ci6hyw01xjs42s09ly3xvf2fcx"; + }) + (fetchpatch { + name = "CVE-2021-37155.part-2.patch"; + url = "https://github.com/wolfSSL/wolfssl/commit/822aa92fccf77558e250131c1c6e9bb84d07afe8.patch"; + sha256 = "1n7774hy9ybbxmg8dldqnhw279k7fkxwvw1s2mjjhkzra9w5x2zy"; + }) + ]; + # almost same as Debian but for now using --enable-all --enable-reproducible-build instead of --enable-distro to ensure options.h gets installed configureFlags = [ "--enable-all" "--enable-reproducible-build" "--enable-pkcs11" "--enable-tls13" "--enable-base64encode" ]; From 08252a1cc42a7520d6e209229484b122e71b0690 Mon Sep 17 00:00:00 2001 From: Robert Scott Date: Sun, 8 Aug 2021 18:29:32 +0100 Subject: [PATCH 3/4] tor: 0.4.5.7 -> 0.4.5.9 --- pkgs/tools/security/tor/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/tools/security/tor/default.nix b/pkgs/tools/security/tor/default.nix index 2e1e1ae2a67..f2ad0d4ba96 100644 --- a/pkgs/tools/security/tor/default.nix +++ b/pkgs/tools/security/tor/default.nix @@ -30,11 +30,11 @@ let in stdenv.mkDerivation rec { pname = "tor"; - version = "0.4.5.7"; + version = "0.4.5.9"; src = fetchurl { url = "https://dist.torproject.org/${pname}-${version}.tar.gz"; - sha256 = "0x7hhl0svfc4yh9xvq7kkzgmwjcw1ak9i0794wjg4biy2fmclzs4"; + sha256 = "0mh8yz6l7sl6kh9max76nk6rhlsq2lhwwvpiwlwnrlif21bf817k"; }; outputs = [ "out" "geoip" ]; From b09c989b82f7a4f7319802a1dcf8bfe859d65362 Mon Sep 17 00:00:00 2001 From: Jonathan Ringer Date: Thu, 24 Jun 2021 23:37:10 -0700 Subject: [PATCH 4/4] nomad-autoscaler: init at 0.3.3 (cherry picked from commit b432c3ca0db8d14e2441d735b2ab51dd7fd55e8f) --- .../cluster/nomad-autoscaler/default.nix | 112 ++++++++++++++++++ pkgs/top-level/all-packages.nix | 2 + 2 files changed, 114 insertions(+) create mode 100644 pkgs/applications/networking/cluster/nomad-autoscaler/default.nix diff --git a/pkgs/applications/networking/cluster/nomad-autoscaler/default.nix b/pkgs/applications/networking/cluster/nomad-autoscaler/default.nix new file mode 100644 index 00000000000..702bf19d579 --- /dev/null +++ b/pkgs/applications/networking/cluster/nomad-autoscaler/default.nix @@ -0,0 +1,112 @@ +{ lib, fetchFromGitHub, buildGoModule, go, removeReferencesTo, buildEnv }: + +let + package = buildGoModule rec { + pname = "nomad-autoscaler"; + version = "0.3.3"; + + outputs = [ + "out" + "bin" + "aws_asg" + "azure_vmss" + "datadog" + "fixed_value" + "gce_mig" + "nomad_apm" + "nomad_target" + "pass_through" + "prometheus" + "target_value" + "threshold" + ]; + + src = fetchFromGitHub { + owner = "hashicorp"; + repo = "nomad-autoscaler"; + rev = "v${version}"; + sha256 = "sha256-bN/U6aCf33B88ouQwTGG8CqARzWmIvXNr5JPr3l8cVI="; + }; + + vendorSha256 = "sha256-Ls8gkfLyxfQD8krvxjAPnZhf1r1s2MhtQfMMfp8hJII="; + + subPackages = [ "." ]; + + nativeBuildInputs = [ removeReferencesTo ]; + + # buildGoModule overrides normal buildPhase, can't use makeTargets + postBuild = '' + make build plugins + ''; + + # tries to pull tests from network, and fails silently anyway + doCheck = false; + + postInstall = '' + mkdir -p $bin/bin + mv $out/bin/nomad-autoscaler $bin/bin/nomad-autoscaler + ln -s $bin/bin/nomad-autoscaler $out/bin/nomad-autoscaler + + for d in $outputs; do + mkdir -p ''${!d}/share + done + rmdir $bin/share + + # have out contain all of the plugins + for plugin in bin/plugins/*; do + remove-references-to -t ${go} "$plugin" + cp "$plugin" $out/share/ + done + + # populate the outputs as individual plugins + # can't think of a more generic way to handle this + # bash doesn't allow for dashes '-' to be in a variable name + # this means that the output names will need to differ slightly from the binary + mv bin/plugins/aws-asg $aws_asg/share/ + mv bin/plugins/azure-vmss $azure_vmss/share/ + mv bin/plugins/datadog $datadog/share/ + mv bin/plugins/fixed-value $fixed_value/share/ + mv bin/plugins/gce-mig $gce_mig/share/ + mv bin/plugins/nomad-apm $nomad_apm/share/ + mv bin/plugins/nomad-target $nomad_target/share/ + mv bin/plugins/pass-through $pass_through/share/ + mv bin/plugins/prometheus $prometheus/share/ + mv bin/plugins/target-value $target_value/share/ + mv bin/plugins/threshold $threshold/share/ + ''; + + # make toggle-able, so that overrided versions can disable this check if + # they want newer versions of the plugins without having to modify + # the output logic + doInstallCheck = true; + installCheckPhase = '' + rmdir bin/plugins || { + echo "Not all plugins were extracted" + echo "Please move the following to their related output: $(ls bin/plugins)" + exit 1 + } + ''; + + passthru = { + inherit plugins withPlugins; + }; + + meta = with lib; { + description = "Autoscaling daemon for Nomad"; + homepage = "https://github.com/hashicorp/nomad-autoscaler"; + license = licenses.mpl20; + maintainers = with maintainers; [ jonringer ]; + }; + }; + + plugins = let + plugins = builtins.filter (n: !(lib.elem n [ "out" "bin" ])) package.outputs; + in lib.genAttrs plugins (output: package.${output}); + + # Intended to be used as: (nomad-autoscaler.withPlugins (ps: [ ps.aws_asg ps.nomad_target ]) + withPlugins = f: buildEnv { + name = "nomad-autoscaler-env"; + paths = [ package.bin ] ++ f plugins; + }; +in + package diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 75fc8f3e8d6..6dce49ed66d 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -7130,6 +7130,8 @@ in nvidiaGpuSupport = config.cudaSupport or false; }; + nomad-autoscaler = callPackage ../applications/networking/cluster/nomad-autoscaler { }; + nomad-driver-podman = callPackage ../applications/networking/cluster/nomad-driver-podman { }; notable = callPackage ../applications/misc/notable { };