diff options
author | Silvan Mosberger <contact@infinisil.com> | 2021-05-03 16:24:42 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-05-03 16:24:42 +0200 |
commit | 3e930b7e4af198da958cd3abc614aded8500314f (patch) | |
tree | f47a775213ca23f7a02b8d9ac4bb76b9a2caace2 | |
parent | 1d76dfb811ef8b60fc8a86bef7cc3d9cd2e2d9bf (diff) | |
parent | a874a8a98b5cd197acf9b2a40b71107db3718f6f (diff) | |
download | nixpkgs-3e930b7e4af198da958cd3abc614aded8500314f.tar nixpkgs-3e930b7e4af198da958cd3abc614aded8500314f.tar.gz nixpkgs-3e930b7e4af198da958cd3abc614aded8500314f.tar.bz2 nixpkgs-3e930b7e4af198da958cd3abc614aded8500314f.tar.lz nixpkgs-3e930b7e4af198da958cd3abc614aded8500314f.tar.xz nixpkgs-3e930b7e4af198da958cd3abc614aded8500314f.tar.zst nixpkgs-3e930b7e4af198da958cd3abc614aded8500314f.zip |
Merge pull request #121294 from nh2/issue-121288-wireguard-fix-chmod-race
wireguard module: generatePrivateKeyFile: Fix chmod security race
-rw-r--r-- | nixos/doc/manual/release-notes/rl-2105.xml | 11 | ||||
-rw-r--r-- | nixos/modules/services/networking/wireguard.nix | 13 |
2 files changed, 19 insertions, 5 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2105.xml b/nixos/doc/manual/release-notes/rl-2105.xml index 2886c4c5f75..2b0a265cd98 100644 --- a/nixos/doc/manual/release-notes/rl-2105.xml +++ b/nixos/doc/manual/release-notes/rl-2105.xml @@ -334,6 +334,17 @@ </para> </listitem> <listitem> + <para> + <link linkend="opt-networking.wireguard.interfaces">networking.wireguard.interfaces.<name>.generatePrivateKeyFile</link>, + which is off by default, had a <literal>chmod</literal> race condition + fixed. As an aside, the parent directory's permissions were widened, + and the key files were made owner-writable. + This only affects newly created keys. + However, if the exact permissions are important for your setup, read + <link xlink:href="https://github.com/NixOS/nixpkgs/pull/121294">#121294</link>. + </para> + </listitem> + <listitem> <para> <link linkend="opt-boot.zfs.forceImportAll">boot.zfs.forceImportAll</link> previously did nothing, but has been fixed. However its default has been diff --git a/nixos/modules/services/networking/wireguard.nix b/nixos/modules/services/networking/wireguard.nix index 34c86934535..043bce16e54 100644 --- a/nixos/modules/services/networking/wireguard.nix +++ b/nixos/modules/services/networking/wireguard.nix @@ -246,12 +246,15 @@ let }; script = '' - mkdir --mode 0644 -p "${dirOf values.privateKeyFile}" + set -e + + # If the parent dir does not already exist, create it. + # Otherwise, does nothing, keeping existing permisions intact. + mkdir -p --mode 0755 "${dirOf values.privateKeyFile}" + if [ ! -f "${values.privateKeyFile}" ]; then - touch "${values.privateKeyFile}" - chmod 0600 "${values.privateKeyFile}" - wg genkey > "${values.privateKeyFile}" - chmod 0400 "${values.privateKeyFile}" + # Write private key file with atomically-correct permissions. + (set -e; umask 077; wg genkey > "${values.privateKeyFile}") fi ''; }; |