summary refs log tree commit diff
diff options
context:
space:
mode:
authorSilvan Mosberger <contact@infinisil.com>2021-05-03 16:24:42 +0200
committerGitHub <noreply@github.com>2021-05-03 16:24:42 +0200
commit3e930b7e4af198da958cd3abc614aded8500314f (patch)
treef47a775213ca23f7a02b8d9ac4bb76b9a2caace2
parent1d76dfb811ef8b60fc8a86bef7cc3d9cd2e2d9bf (diff)
parenta874a8a98b5cd197acf9b2a40b71107db3718f6f (diff)
downloadnixpkgs-3e930b7e4af198da958cd3abc614aded8500314f.tar
nixpkgs-3e930b7e4af198da958cd3abc614aded8500314f.tar.gz
nixpkgs-3e930b7e4af198da958cd3abc614aded8500314f.tar.bz2
nixpkgs-3e930b7e4af198da958cd3abc614aded8500314f.tar.lz
nixpkgs-3e930b7e4af198da958cd3abc614aded8500314f.tar.xz
nixpkgs-3e930b7e4af198da958cd3abc614aded8500314f.tar.zst
nixpkgs-3e930b7e4af198da958cd3abc614aded8500314f.zip
Merge pull request #121294 from nh2/issue-121288-wireguard-fix-chmod-race
wireguard module: generatePrivateKeyFile: Fix chmod security race
Diffstat
-rw-r--r--nixos/doc/manual/release-notes/rl-2105.xml11
-rw-r--r--nixos/modules/services/networking/wireguard.nix13
2 files changed, 19 insertions, 5 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2105.xml b/nixos/doc/manual/release-notes/rl-2105.xml
index 2886c4c5f75..2b0a265cd98 100644
--- a/nixos/doc/manual/release-notes/rl-2105.xml
+++ b/nixos/doc/manual/release-notes/rl-2105.xml
@@ -334,6 +334,17 @@
     </para>
    </listitem>
    <listitem>
+    <para>
+     <link linkend="opt-networking.wireguard.interfaces">networking.wireguard.interfaces.&lt;name&gt;.generatePrivateKeyFile</link>,
+     which is off by default, had a <literal>chmod</literal> race condition
+     fixed. As an aside, the parent directory's permissions were widened,
+     and the key files were made owner-writable.
+     This only affects newly created keys.
+     However, if the exact permissions are important for your setup, read
+     <link xlink:href="https://github.com/NixOS/nixpkgs/pull/121294">#121294</link>.
+    </para>
+   </listitem>
+   <listitem>
      <para>
       <link linkend="opt-boot.zfs.forceImportAll">boot.zfs.forceImportAll</link>
       previously did nothing, but has been fixed. However its default has been
diff --git a/nixos/modules/services/networking/wireguard.nix b/nixos/modules/services/networking/wireguard.nix
index 34c86934535..043bce16e54 100644
--- a/nixos/modules/services/networking/wireguard.nix
+++ b/nixos/modules/services/networking/wireguard.nix
@@ -246,12 +246,15 @@ let
         };
 
         script = ''
-          mkdir --mode 0644 -p "${dirOf values.privateKeyFile}"
+          set -e
+
+          # If the parent dir does not already exist, create it.
+          # Otherwise, does nothing, keeping existing permisions intact.
+          mkdir -p --mode 0755 "${dirOf values.privateKeyFile}"
+
           if [ ! -f "${values.privateKeyFile}" ]; then
-            touch "${values.privateKeyFile}"
-            chmod 0600 "${values.privateKeyFile}"
-            wg genkey > "${values.privateKeyFile}"
-            chmod 0400 "${values.privateKeyFile}"
+            # Write private key file with atomically-correct permissions.
+            (set -e; umask 077; wg genkey > "${values.privateKeyFile}")
           fi
         '';
       };
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-07-14 03:38:39 +0000