From 4eda6711baaa3910424cb593f10d1c7d9fb43731 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Tue, 14 Jul 2020 13:21:07 +0100 Subject: [PATCH] fix /etc/secrets.d permissions --- pkgs/sops-install-secrets/main.go | 7 ++++--- pkgs/sops-install-secrets/nixos-test.nix | 5 ++++- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/pkgs/sops-install-secrets/main.go b/pkgs/sops-install-secrets/main.go index 7443c68..cb2392c 100644 --- a/pkgs/sops-install-secrets/main.go +++ b/pkgs/sops-install-secrets/main.go @@ -146,14 +146,15 @@ func mountSecretFs(mountpoint string, keysGid int) error { if err := os.MkdirAll(mountpoint, 0750); err != nil { return fmt.Errorf("Cannot create directory '%s': %s", mountpoint, err) } - if err := os.Chown(mountpoint, 0, int(keysGid)); err != nil { - return fmt.Errorf("Cannot change owner/group of '%s' to 0/%d: %s", mountpoint, keysGid, err) - } if err := unix.Mount("none", mountpoint, "ramfs", unix.MS_NODEV|unix.MS_NOSUID, "mode=0750"); err != nil { return fmt.Errorf("Cannot mount: %s", err) } + if err := os.Chown(mountpoint, 0, int(keysGid)); err != nil { + return fmt.Errorf("Cannot change owner/group of '%s' to 0/%d: %s", mountpoint, keysGid, err) + } + return nil } diff --git a/pkgs/sops-install-secrets/nixos-test.nix b/pkgs/sops-install-secrets/nixos-test.nix index b4ef967..3faaee5 100644 --- a/pkgs/sops-install-secrets/nixos-test.nix +++ b/pkgs/sops-install-secrets/nixos-test.nix @@ -28,7 +28,7 @@ imports = [ ../../modules/sops ]; sops.gnupgHome = "/run/gpghome"; sops.defaultSopsFile = ./test-assets/secrets.yaml; - sops.secrets.test_key = {}; + sops.secrets.test_key.owner = "nobody"; # must run before sops system.activationScripts.gnupghome = lib.stringAfter [ "etc" ] '' cp -r ${./test-assets/gnupghome} /run/gpghome @@ -45,6 +45,9 @@ testScript = '' start_all() server.succeed("cat /run/secrets/test_key | grep -q test_value") + server.succeed("runuser -u nobody -G keys -- cat /run/secrets/test_key >&2") + # should have no permission to read the file + server.fail("runuser -u nobody -- cat /run/secrets/test_key >&2") ''; } { inherit pkgs;