From 4eda6711baaa3910424cb593f10d1c7d9fb43731 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Tue, 14 Jul 2020 13:21:07 +0100
Subject: [PATCH] fix /etc/secrets.d permissions

---
 pkgs/sops-install-secrets/main.go        | 7 ++++---
 pkgs/sops-install-secrets/nixos-test.nix | 5 ++++-
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/pkgs/sops-install-secrets/main.go b/pkgs/sops-install-secrets/main.go
index 7443c68..cb2392c 100644
--- a/pkgs/sops-install-secrets/main.go
+++ b/pkgs/sops-install-secrets/main.go
@@ -146,14 +146,15 @@ func mountSecretFs(mountpoint string, keysGid int) error {
 	if err := os.MkdirAll(mountpoint, 0750); err != nil {
 		return fmt.Errorf("Cannot create directory '%s': %s", mountpoint, err)
 	}
-	if err := os.Chown(mountpoint, 0, int(keysGid)); err != nil {
-		return fmt.Errorf("Cannot change owner/group of '%s' to 0/%d: %s", mountpoint, keysGid, err)
-	}
 
 	if err := unix.Mount("none", mountpoint, "ramfs", unix.MS_NODEV|unix.MS_NOSUID, "mode=0750"); err != nil {
 		return fmt.Errorf("Cannot mount: %s", err)
 	}
 
+	if err := os.Chown(mountpoint, 0, int(keysGid)); err != nil {
+		return fmt.Errorf("Cannot change owner/group of '%s' to 0/%d: %s", mountpoint, keysGid, err)
+	}
+
 	return nil
 }
 
diff --git a/pkgs/sops-install-secrets/nixos-test.nix b/pkgs/sops-install-secrets/nixos-test.nix
index b4ef967..3faaee5 100644
--- a/pkgs/sops-install-secrets/nixos-test.nix
+++ b/pkgs/sops-install-secrets/nixos-test.nix
@@ -28,7 +28,7 @@
      imports = [ ../../modules/sops ];
       sops.gnupgHome = "/run/gpghome";
       sops.defaultSopsFile = ./test-assets/secrets.yaml;
-      sops.secrets.test_key = {};
+      sops.secrets.test_key.owner = "nobody";
       # must run before sops
       system.activationScripts.gnupghome = lib.stringAfter [ "etc" ] ''
         cp -r ${./test-assets/gnupghome} /run/gpghome
@@ -45,6 +45,9 @@
    testScript = ''
      start_all()
      server.succeed("cat /run/secrets/test_key | grep -q test_value")
+     server.succeed("runuser -u nobody -G keys -- cat /run/secrets/test_key >&2")
+     # should have no permission to read the file
+     server.fail("runuser -u nobody -- cat /run/secrets/test_key >&2")
    '';
  } {
    inherit pkgs;