Open dotlambda opened 3 years ago
I would say that mkdir
followed by chmod
is usually not problematic because no files will be created in between the two operations. However, it might be better style to use mkdir -m
or install -dm
.
However, it might be better style to use mkdir -m or install -dm.
I don't know about install
, but I think mkdir -m
will not set the permissions if the directory already exists (so configured vs actual permissions might diverge).
I don't know about install, but I think mkdir -m will not set the permissions if the directory already exists (so configured vs actual permissions might diverge).
Yes, if -p
is used existing directories will not be changed. If it's not used, it will just cause an error.
install -dm
will change the permissions of an existing directory though.
Even though the actual ping never went through, I think you meant @colemickens for nixos/modules/virtualisation/azure-image.nix
;)
@cole-h Sorry, I didn't mean to relate your name to any FUD nonsense ;-)
Wrt acme, lego will write with 0600 permissions, which means that only the acme user can initially read any of the secure files it outputs. The chmod/chgrp/chowns scattered throughout acme.nix are there to either open or correct permissions such that the configured group will be able to read the certs. The acme-fixperms service is there solely to fix insecure permissions that may have existed in past iterations of the module (on upgrading systems). The only possible leak I can see is through the selfsigned service, which applies a chmod 600 after minica is called. I will set the umask on the selfsigned cert generator service instead.
The chmod/chgrp/chowns scattered throughout acme.nix are there to either open or correct permissions such that the configured group will be able to read the certs
We should best annotate such safe uses with comments to make it clear.
I would say that
mkdir
followed bychmod
is usually not problematic because no files will be created in between the two operations. However, it might be better style to usemkdir -m
orinstall -dm
.
@mohe2015 Can you elaborate on what your :-1: means?
I would say that
mkdir
followed bychmod
is usually not problematic because no files will be created in between the two operations. However, it might be better style to usemkdir -m
orinstall -dm
.
I'm not sure but I could imagine that someone could write to the directory in the rare case that the default permissions allow that. I just thought it would be cleaner to go all the way if somebody puts in the effort. But if this is really impossible it shouldn't matter.
In searx it's not much of an issue: it only allows users of the searx
group to read the secrets, but I will try to fix it anyway.
FYI:
700
.I'll fix it nevertheless.
I don't believe the mailman module is vulnerable, because it uses mktemp(1) to create its secret file
Files are created u+rw, and directories u+rwx, minus umask restrictions.
So the chmod should just have the effect of broadening the permissions to make it group readable. (It also does u-w, but that's meaningless since the owner is root.)
But I will do some testing today to verify that I am correct here.
Edit: I have confirmed this by commenting out the chmod/chown, and indeed the file starts being accessible only to root.
The syncserver
module is broken and due for removal (https://github.com/NixOS/nixpkgs/pull/74725), so I guess it doesn't matter
The nsd fix is there: https://github.com/NixOS/nixpkgs/pull/121427
I've done the compute image metadata fetchers in #121449, but GH assigned no reviewers. Can someone here review for me?
nixos/modules/virtualisation/fetch-instance-ssh-keys.bash
uses umask 077
early on, so it should be fine.
Use
umask
orinstall -m
instead.
Actually, install -m
has the same problem: https://github.com/NixOS/nixpkgs/pull/121427#issuecomment-831141768
You can mark off the following two from me:
nixos/modules/services/web-apps/bookstack.nix
is fixed too.
This issue has been mentioned on NixOS Discourse. There might be relevant details there:
@ryantm Would your https://github.com/ryantm/nixpkgs/commit/b0088d4fb42c92bed81444442378d0d9ea531f0f be upstreamable for mattermost
?
This issue has been mentioned on NixOS Discourse. There might be relevant details there:
touch
,cp
, etc. followed bychmod
leaves an opportunity to leak secrets as explained in #121288.install -m
does the same, but in one command. Useumask
instead.
Thank you so much for going through all the potentially-affected services <3
- [ ]
nixos/modules/config/swap.nix
(@nbraud @tokudan @roberth)
Did you mean to tag someone else? I did the PR for wpa_supplicant some time ago, but didn't poke swap.nix
P.S.: Speaking of which, #275312 (backporting the wpa_supplicant fix) is needing a review ;3
touch
,cp
, etc. followed bychmod
leaves an opportunity to leak secrets as explained in https://github.com/NixOS/nixpkgs/issues/121288.install -m
does the same, but in one command. Useumask
instead. The following modules might be affected:nixos/modules/services/amqp/rabbitmq.nix
(@binarin @edef1c @roberth) #284117nixos/modules/services/monitoring/zabbix-proxy.nix
andnixos/modules/services/monitoring/zabbix-server.nix
(@aanderse) #284122nixos/modules/services/continuous-integration/buildkite-agents.nix
(https://github.com/NixOS/nixpkgs/pull/121667)nixos/modules/services/scheduling/atd.nix
(https://github.com/NixOS/nixpkgs/pull/121394)nixos/modules/services/games/terraria.nix
(@evanjs @dasJ) #286356nixos/modules/services/misc/redmine.nix
(@aanderse @zimbatm)nixos/modules/services/misc/gogs.nix
(@braunse @Ekleog) #286362nixos/modules/services/misc/gitea.nix
(#121299)nixos/modules/services/computing/slurm/slurm.nix
(@markuskowa) #121336(@nek0) #282971nixos/modules/services/web-apps/restya-board.nix
nixos/modules/services/web-apps/wordpress.nix
(@jsamsa @mmilata) #290018nixos/modules/services/web-apps/jitsi-meet.nix
(@mmilata @petabyteboy @ryantm) #325637nixos/modules/services/web-apps/mattermost.nix
(@jslight90 @ryantm)nixos/modules/services/web-apps/bookstack.nix
(https://github.com/NixOS/nixpkgs/pull/119325)nixos/modules/services/web-apps/engelsystem.nix
(@Kloenk)nixos/modules/services/web-apps/sogo.nix
(@ajs124) #325644nixos/modules/services/web-apps/keycloak.nix
() #121778nixos/modules/services/networking/xrdp.nix
(@telotortium)nixos/modules/services/networking/firefox/sync-server.nix
(@Nadrieril) f8b4cf08fecdd4caa638ce5d00ac5b583308dafbnixos/modules/services/networking/pptpd.nix
(@obadz) #308085nixos/modules/services/networking/bee.nix
(@attila-lendvai) #325291nixos/modules/services/networking/nsd.nix
(https://github.com/NixOS/nixpkgs/pull/121427) #299581nixos/modules/services/networking/wireguard.nix
(https://github.com/NixOS/nixpkgs/pull/121294)nixos/modules/services/networking/supplicant.nix
(https://github.com/NixOS/nixpkgs/pull/121395)(@Scriptkiddi) (not a nix config)nixos/modules/services/networking/ircd-hybrid/ircd.conf
nixos/modules/services/networking/searx.nix
(@rnhmjoj) #121512nixos/modules/services/networking/yggdrasil.nix
(@ehmry @gazally) #121968nixos/modules/services/networking/cjdns.nix
(@mkg20001 @Infinisil @elitak) #300519nixos/modules/services/networking/xl2tpd.nix
(@obadz) #302388nixos/modules/services/mail/mailman.nix
(https://github.com/NixOS/nixpkgs/issues/121293#issuecomment-830627372) #308092nixos/modules/services/mail/postsrsd.nix
(@gkleen @abbradar) #304340nixos/modules/services/cluster/kubernetes/pki.nix
(@ymatsiuk @saschagrunert @anmonteiro) #286032nixos/modules/config/swap.nix
(@nbraud @tokudan @roberth) #312516nixos/modules/security/acme.nix
andnixos/modules/security/acme.xml
(https://github.com/NixOS/nixpkgs/pull/121750)nixos/modules/virtualisation/digital-ocean-config.nix
(@eamsden) #308065nixos/modules/virtualisation/openstack-metadata-fetcher.nix
(https://github.com/NixOS/nixpkgs/pull/121449)nixos/modules/virtualisation/fetch-instance-ssh-keys.bash
(@talyz) 524aecf61e11663a3e841bee2e2b3a45a64ffdc2nixos/modules/virtualisation/ec2-metadata-fetcher.nix
(https://github.com/NixOS/nixpkgs/pull/121449)nixos/modules/virtualisation/azure-image.nix
(@colemickens @copumpkin) #266381nixos/modules/virtualisation/vagrant-guest.nix
(@joseph-long) #302909nixos/modules/virtualisation/ec2-data.nix
(@doshitan @edolstra) #304362nixos/modules/virtualisation/brightbox-image.nix
(@rbvermaa) #307461 #339790EDIT: wording, to make clear that I did not check whether this actually causes a problem in all of the above cases