forked from mirrors/nixpkgs
nixos/yggdrasil: set directory permissions before writing keys
Remove the opportunity for someone to read the keys in between when they are written and when the chmod is done. Addresses #121293.
This commit is contained in:
parent
468cb5980b
commit
28f51d7757
|
@ -64,7 +64,7 @@ in {
|
|||
type = types.str;
|
||||
default = "root";
|
||||
example = "wheel";
|
||||
description = "Group to grant acces to the Yggdrasil control socket.";
|
||||
description = "Group to grant access to the Yggdrasil control socket.";
|
||||
};
|
||||
|
||||
openMulticastPort = mkOption {
|
||||
|
@ -122,12 +122,11 @@ in {
|
|||
system.activationScripts.yggdrasil = mkIf cfg.persistentKeys ''
|
||||
if [ ! -e ${keysPath} ]
|
||||
then
|
||||
mkdir -p ${builtins.dirOf keysPath}
|
||||
mkdir --mode=700 -p ${builtins.dirOf keysPath}
|
||||
${binYggdrasil} -genconf -json \
|
||||
| ${pkgs.jq}/bin/jq \
|
||||
'to_entries|map(select(.key|endswith("Key")))|from_entries' \
|
||||
> ${keysPath}
|
||||
chmod 600 ${keysPath}
|
||||
fi
|
||||
'';
|
||||
|
||||
|
|
Loading…
Reference in a new issue