diff options
author | Gemini Lasswell <gazally@runbox.com> | 2021-05-06 17:14:03 -0700 |
---|---|---|
committer | ehmry <ehmry@posteo.net> | 2021-05-08 09:49:19 +0200 |
commit | 28f51d7757a8c240918c5f36bc8c18e3c1877526 (patch) | |
tree | e2b2708ac95fc7beca74c0dd185b9bd1bf9749c6 /nixos/modules/services/networking/yggdrasil.nix | |
parent | 468cb5980b56d348979488a74a9b5de638400160 (diff) | |
download | nixpkgs-28f51d7757a8c240918c5f36bc8c18e3c1877526.tar nixpkgs-28f51d7757a8c240918c5f36bc8c18e3c1877526.tar.gz nixpkgs-28f51d7757a8c240918c5f36bc8c18e3c1877526.tar.bz2 nixpkgs-28f51d7757a8c240918c5f36bc8c18e3c1877526.tar.lz nixpkgs-28f51d7757a8c240918c5f36bc8c18e3c1877526.tar.xz nixpkgs-28f51d7757a8c240918c5f36bc8c18e3c1877526.tar.zst nixpkgs-28f51d7757a8c240918c5f36bc8c18e3c1877526.zip |
nixos/yggdrasil: set directory permissions before writing keys
Remove the opportunity for someone to read the keys in between when they are written and when the chmod is done. Addresses #121293.
Diffstat (limited to 'nixos/modules/services/networking/yggdrasil.nix')
-rw-r--r-- | nixos/modules/services/networking/yggdrasil.nix | 5 |
1 files changed, 2 insertions, 3 deletions
diff --git a/nixos/modules/services/networking/yggdrasil.nix b/nixos/modules/services/networking/yggdrasil.nix index a71c635c9f6..47a7152f6fe 100644 --- a/nixos/modules/services/networking/yggdrasil.nix +++ b/nixos/modules/services/networking/yggdrasil.nix @@ -64,7 +64,7 @@ in { type = types.str; default = "root"; example = "wheel"; - description = "Group to grant acces to the Yggdrasil control socket."; + description = "Group to grant access to the Yggdrasil control socket."; }; openMulticastPort = mkOption { @@ -122,12 +122,11 @@ in { system.activationScripts.yggdrasil = mkIf cfg.persistentKeys '' if [ ! -e ${keysPath} ] then - mkdir -p ${builtins.dirOf keysPath} + mkdir --mode=700 -p ${builtins.dirOf keysPath} ${binYggdrasil} -genconf -json \ | ${pkgs.jq}/bin/jq \ 'to_entries|map(select(.key|endswith("Key")))|from_entries' \ > ${keysPath} - chmod 600 ${keysPath} fi ''; |