diff options
author | Silvan Mosberger <contact@infinisil.com> | 2021-05-03 16:24:42 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-05-03 16:24:42 +0200 |
commit | 3e930b7e4af198da958cd3abc614aded8500314f (patch) | |
tree | f47a775213ca23f7a02b8d9ac4bb76b9a2caace2 /nixos/modules/services/networking | |
parent | 1d76dfb811ef8b60fc8a86bef7cc3d9cd2e2d9bf (diff) | |
parent | a874a8a98b5cd197acf9b2a40b71107db3718f6f (diff) | |
download | nixpkgs-3e930b7e4af198da958cd3abc614aded8500314f.tar nixpkgs-3e930b7e4af198da958cd3abc614aded8500314f.tar.gz nixpkgs-3e930b7e4af198da958cd3abc614aded8500314f.tar.bz2 nixpkgs-3e930b7e4af198da958cd3abc614aded8500314f.tar.lz nixpkgs-3e930b7e4af198da958cd3abc614aded8500314f.tar.xz nixpkgs-3e930b7e4af198da958cd3abc614aded8500314f.tar.zst nixpkgs-3e930b7e4af198da958cd3abc614aded8500314f.zip |
Merge pull request #121294 from nh2/issue-121288-wireguard-fix-chmod-race
wireguard module: generatePrivateKeyFile: Fix chmod security race
Diffstat (limited to 'nixos/modules/services/networking')
-rw-r--r-- | nixos/modules/services/networking/wireguard.nix | 13 |
1 files changed, 8 insertions, 5 deletions
diff --git a/nixos/modules/services/networking/wireguard.nix b/nixos/modules/services/networking/wireguard.nix index 34c86934535..043bce16e54 100644 --- a/nixos/modules/services/networking/wireguard.nix +++ b/nixos/modules/services/networking/wireguard.nix @@ -246,12 +246,15 @@ let }; script = '' - mkdir --mode 0644 -p "${dirOf values.privateKeyFile}" + set -e + + # If the parent dir does not already exist, create it. + # Otherwise, does nothing, keeping existing permisions intact. + mkdir -p --mode 0755 "${dirOf values.privateKeyFile}" + if [ ! -f "${values.privateKeyFile}" ]; then - touch "${values.privateKeyFile}" - chmod 0600 "${values.privateKeyFile}" - wg genkey > "${values.privateKeyFile}" - chmod 0400 "${values.privateKeyFile}" + # Write private key file with atomically-correct permissions. + (set -e; umask 077; wg genkey > "${values.privateKeyFile}") fi ''; }; |