3
0
Fork 0
forked from mirrors/nixpkgs

nixos/yggdrasil: set directory permissions before writing keys

Remove the opportunity for someone to read the keys in between when
they are written and when the chmod is done.  Addresses #121293.
This commit is contained in:
Gemini Lasswell 2021-05-06 17:14:03 -07:00 committed by ehmry
parent 468cb5980b
commit 28f51d7757

View file

@ -64,7 +64,7 @@ in {
type = types.str;
default = "root";
example = "wheel";
description = "Group to grant acces to the Yggdrasil control socket.";
description = "Group to grant access to the Yggdrasil control socket.";
};
openMulticastPort = mkOption {
@ -122,12 +122,11 @@ in {
system.activationScripts.yggdrasil = mkIf cfg.persistentKeys ''
if [ ! -e ${keysPath} ]
then
mkdir -p ${builtins.dirOf keysPath}
mkdir --mode=700 -p ${builtins.dirOf keysPath}
${binYggdrasil} -genconf -json \
| ${pkgs.jq}/bin/jq \
'to_entries|map(select(.key|endswith("Key")))|from_entries' \
> ${keysPath}
chmod 600 ${keysPath}
fi
'';