diff options
author | Lucas Savva <lucas@m1cr0man.com> | 2021-05-05 00:27:19 +0100 |
---|---|---|
committer | Lucas Savva <lucas@m1cr0man.com> | 2021-05-15 12:41:33 +0100 |
commit | 083aba4f83b105c30a1386bdb214cb6c85e119e6 (patch) | |
tree | cc4f443e8ffdc3deec24652e95ca546d7a520533 /nixos/modules/security/acme.nix | |
parent | ca26ea50d66737922d0edfaaf07449576ece7f8c (diff) | |
download | nixpkgs-083aba4f83b105c30a1386bdb214cb6c85e119e6.tar nixpkgs-083aba4f83b105c30a1386bdb214cb6c85e119e6.tar.gz nixpkgs-083aba4f83b105c30a1386bdb214cb6c85e119e6.tar.bz2 nixpkgs-083aba4f83b105c30a1386bdb214cb6c85e119e6.tar.lz nixpkgs-083aba4f83b105c30a1386bdb214cb6c85e119e6.tar.xz nixpkgs-083aba4f83b105c30a1386bdb214cb6c85e119e6.tar.zst nixpkgs-083aba4f83b105c30a1386bdb214cb6c85e119e6.zip |
nixos/acme: Ensure certs are always protected
As per #121293, I ensured the UMask is set correctly and removed any unnecessary chmod/chown/chgrp commands. The test suite already partially covered permissions checking but I added an extra check for the selfsigned cert permissions.
Diffstat (limited to 'nixos/modules/security/acme.nix')
-rw-r--r-- | nixos/modules/security/acme.nix | 16 |
1 files changed, 10 insertions, 6 deletions
diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix index eb3599b924d..a9e63f7837e 100644 --- a/nixos/modules/security/acme.nix +++ b/nixos/modules/security/acme.nix @@ -46,6 +46,7 @@ let serviceConfig = commonServiceConfig // { StateDirectory = "acme/.minica"; BindPaths = "/var/lib/acme/.minica:/tmp/ca"; + UMask = 0077; }; # Working directory will be /tmp @@ -54,8 +55,6 @@ let --ca-key ca/key.pem \ --ca-cert ca/cert.pem \ --domains selfsigned.local - - chmod 600 ca/* ''; }; @@ -196,6 +195,7 @@ let serviceConfig = commonServiceConfig // { Group = data.group; + UMask = 0027; StateDirectory = "acme/${cert}"; @@ -220,10 +220,12 @@ let cat cert.pem chain.pem > fullchain.pem cat key.pem fullchain.pem > full.pem - chmod 640 * - # Group might change between runs, re-apply it chown 'acme:${data.group}' * + + # Default permissions make the files unreadable by group + anon + # Need to be readable by group + chmod 640 * ''; }; @@ -340,8 +342,6 @@ let fi mv domainhash.txt certificates/ - chmod 640 certificates/* - chmod -R u=rwX,g=,o= accounts/* # Group might change between runs, re-apply it chown 'acme:${data.group}' certificates/* @@ -357,6 +357,10 @@ let ln -sf fullchain.pem out/cert.pem cat out/key.pem out/fullchain.pem > out/full.pem fi + + # By default group will have no access to the cert files. + # This chmod will fix that. + chmod 640 out/* ''; }; }; |