mirrors/sops-nix
1
0
Fork 0
mirror of https://github.com/Mic92/sops-nix.git synced 2024-12-14 11:57:52 +00:00
Code Activity

Merge pull request #6 from Mic92/permission-fixes

Browse source
This commit is contained in:
Jörg Thalheim 2020-07-14 13:26:12 +01:00 committed by GitHub
commit 31f8881819
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 8 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
pkgs/sops-install-secrets/main.go
View file

@ -146,14 +146,15 @@ func mountSecretFs(mountpoint string, keysGid int) error {
if err := os.MkdirAll(mountpoint, 0750); err != nil {
return fmt.Errorf("Cannot create directory '%s': %s", mountpoint, err)
}
if err := os.Chown(mountpoint, 0, int(keysGid)); err != nil {
return fmt.Errorf("Cannot change owner/group of '%s' to 0/%d: %s", mountpoint, keysGid, err)
}
if err := unix.Mount("none", mountpoint, "ramfs", unix.MS_NODEV|unix.MS_NOSUID, "mode=0750"); err != nil {
return fmt.Errorf("Cannot mount: %s", err)
}
if err := os.Chown(mountpoint, 0, int(keysGid)); err != nil {
return fmt.Errorf("Cannot change owner/group of '%s' to 0/%d: %s", mountpoint, keysGid, err)
}
return nil
}

5
pkgs/sops-install-secrets/nixos-test.nix
View file

@ -28,7 +28,7 @@
imports = [ ../../modules/sops ];
sops.gnupgHome = "/run/gpghome";
sops.defaultSopsFile = ./test-assets/secrets.yaml;
sops.secrets.test_key = {};
sops.secrets.test_key.owner = "nobody";
# must run before sops
system.activationScripts.gnupghome = lib.stringAfter [ "etc" ] ''
cp -r ${./test-assets/gnupghome} /run/gpghome
@ -45,6 +45,9 @@
testScript = ''
start_all()
server.succeed("cat /run/secrets/test_key | grep -q test_value")
server.succeed("runuser -u nobody -G keys -- cat /run/secrets/test_key >&2")
# should have no permission to read the file
server.fail("runuser -u nobody -- cat /run/secrets/test_key >&2")
'';
} {
inherit pkgs;