search

NixOS / nixpkgs

Nix Packages collection & NixOS
MIT License
17.36k stars 13.59k forks source link

Provide options for storing secrets outside the Nix store #24288

Open basvandijk opened 7 years ago

basvandijk commented 7 years ago

Introduction

Dear module authors and maintainers,

We currently have many modules that force users to store their secrets in the world-readble Nix store. This is bad for security. We should give users the option of specifying their secrets in individual files which can be stored outside the Nix store with suitable ownership and permissions. Users could then also use nixops to manage their secret files.

There's still the convenient but unsafe option of storing the secret file in the Nix store using pkgs.writeTextFile. If https://github.com/NixOS/nix/issues/8 gets resolved these files can be encrypted / made private. Also see: https://github.com/NixOS/rfcs/pull/5.

Proposal

The list below contains all the options that force a secret being stored in the Nix store. I propose the following:

  1. Each option should get a warning in the documentation of the form: "Warning: this secret is stored in the world-readable Nix store!"

  2. Each option should get an alternative passwordFile option.

  3. For backwards compatibility the passwordFile option should get a default based on the password option:

{ config = {
    passwordFile = mkDefault (toString (pkgs.writeTextFile {
      name = "password-file";
      text = cfg.password;
    }));
  };
}

  1. Some upstream programs don't support setting a password using a file. In that case an issue should be created in the upstream issue-tracker asking for that feature. (See https://github.com/namecoin/namecoin-core/issues/148 for example). A URL to the issue should be placed in the list below and in the documentation of the password option so that it's easier to track when it gets resolved.

  2. If after some time (lets use September 2017 for now) the upstream developers have not provided the feature to specify the password by file, the NixOS module should be changed such that the config file that contains the password is written to /run before the service starts up. So something like the following:

{
  systemd.services.my-service = {  
    preStart = ''
      cat > /run/my-service/config << EOF
      ...
      password = $(cat "${cfg.passwordFile}")
      ...
      EOF
    '';
    script = "${pkgs.myService}/bin/my-service --config=/run/my-service/config";
  };
}

  1. Lets use this issue for planning and to track progress. Please mention in the comments if you have provided a passwordFile option for one of the options below. Then I check the box to indicate it has been resolved. See PR https://github.com/NixOS/nixpkgs/pull/24146 for reference.

  2. If we make sure the new options are backwards compatible we could consider cherry-picking them onto release-17.03 making sure users get these security fixes ASAP.

Secret options

This list was compiled by running the following in <nixpkgs> and manually inspecting and processing the result:

find . -type f -exec grep --color -nH -i -E -e '(secret|pass|key)' {} +`
ip1981 commented 7 years ago

FYI, check out how I handle secrets throughout all the apps here: https://github.com/ip1981/nixsap/tree/master/modules/apps

Especially, with Jenkins :)

teh commented 7 years ago

I suspect @fpletz is now the maintainer for gitlab (sorry, I see you'r name is in this list a lot!)

edolstra commented 7 years ago

Wow, I didn't know the situation was this bad. All of these options should be removed really. It's almost as if people don't realize that the Nix store is world readable...

jml commented 7 years ago

@basvandijk — any plan for preventing future changes adding secrets to the Nix store, beyond eternal vigilance?

Ekleog commented 7 years ago

Hmm, I didn't re-read https://github.com/NixOS/nix/issues/8 completely, but it seemed to me last time that @edolstra 's solution using encryption in the store and decryption at startup time was working and there was mostly bikeshedding about encryption vs ACLs?

This would be much easier than trying to patch every single upstream program that does not accept password files, especially given that some may not be willing to do it as it adds quite a bit of complexity. Wouldn't it?

rnhmjoj commented 7 years ago

Besides being quite inconvenient, storing passwords/keys in a file with restricted access outside the store, may not solve the problem: they could end up in a systemd environment file or a unit file if you need to pass those as an command line argument. Also expecting everyone upstream to comply seems incredibly too optimistic for me.

basvandijk commented 7 years ago

any plan for preventing future changes adding secrets to the Nix store, beyond eternal vigilance?

@jml we could add something to the PULL_REQUEST_TEMPLATE.md instructing contributors to use passwordFile instead of password options.

basvandijk commented 7 years ago

All of these options should be removed really...

@edolstra we could do that eventually but to ease the transition we should first provide a backwards compatible passwordFile option, then in a next release we could start throwing warnings when users use the password option and finally in a third release we can remove the password options.

basvandijk commented 7 years ago

@Ekleog regarding https://github.com/NixOS/nix/issues/8, even if we have the ability to encrypt files in the Nix store I think it would be best to only encrypt files that should be encrypted. Currently we have big config files that somewhere contain a password. It would nicer if the config file remains unencrypted because then it can be shared and it makes debugging easier. Only the password needs to be encrypted. So having passwords in individual files would still be desirable.

edolstra commented 7 years ago

@basvandijk The encryption stuff allows you to encrypt only the "secret" parts of a configuration file. See https://github.com/edolstra/nixpkgs/commit/4c8212069429bf9fb959e00ce8d9345ac7cb7ff0#diff-6c3fcb531890fdce200531b9ac69e4f8R14 for an example.

rnhmjoj commented 7 years ago

@basvandijk Sometimes even the password stored in the configuration file needs to be readable. dnschain, for example, parses namecoin.conf to connect to the rpc server.

basvandijk commented 7 years ago

@rnhmjoj lets see how upstream reacts to a request for a rpcpasswordFile parameter...

basvandijk commented 7 years ago

The encryption stuff allows you to encrypt only the "secret" parts of a configuration file.

@edolstra that's great! What needs to be done to get this merged into Nix?

edolstra commented 7 years ago

Well, it's not clear whether this is the way to go. @kevincox listed the issues here: https://github.com/NixOS/nix/issues/8#issuecomment-265256236

basvandijk commented 7 years ago

@rnhmjoj regarding namecoind, would cookie based authentication work?

basvandijk commented 7 years ago

Besides being quite inconvenient, storing passwords/keys in a file with restricted access outside the store, may not solve the problem: they could end up in a systemd environment file or a unit file if you need to pass those as an command line argument.

@rnhmjoj regarding secrets in systemd unit files, we can always create a wrapper script that cats the password file and passes that on to the original script. I do something similar here.

mbrgm commented 7 years ago

@basvandijk Regarding upstream changes for password file options: I think some cat/sed trickery, maybe creating a config file in /run from a template should also do the job for most cases where upstream doesn't have or doesn't want to add a password file, shouldn't it?

basvandijk commented 7 years ago

@mbrgm sure and we should do that in case upstream doesn't provide a password file option.

rasendubi commented 7 years ago

@basvandijk I would not tick the package until the PR is merged.

rnhmjoj commented 7 years ago

@basvandijk That seems a valid alternative for authenticating to namecoind however dnschain does not support it, so it would break the service. Anyway, thank you for opening the issue.

basvandijk commented 7 years ago

I would not tick the package until the PR is merged.

@rasendubi makes sense. I've unticked the wordpress checkbox.

edwtjo commented 7 years ago

Well for aiccu; SixXS is closing down its IPv6 tunnel in June so it doesn't seem worth the effort to create a patch for aiccu to support password files. Lets just remove the service in 0606.

zimbatm commented 7 years ago

Nix encryption is going to take a while to get there given nix's release history speed. I don't think it should be a blocker for trying alternative implementations.

On the nixpkgs side, the protection would be based on unix file ACL. How about treating secrets like any other state? We could introduce a "mkState" interface that defines any kind of state reference on the filesystem.

let
  postgresState = mkState {
    type = "directory";
    name = "postgres";
    owner = "postgres";
    group = "postgres";
    mode = "0700";
    mustExist = false;
    # run a command if it's missing
    onMissing = "pg_init";
  };
  assert (toString postgresState) == "/var/lib/postgres";
  # mkSecret is a specialization of mkState with a default dir to /run/keys/${name}, mode = 0700 and mustExist = true  
  nginxSecret = mkSecret {
    owner = "nginx";
  };

This would translate to (1) some activation script actions like creating the state dir (2) systemd service to initialize and/or check the secret, which can then be used as a dependency for other services.

I know it's still pretty vague but hopefully enough to convey the idea.

moretea commented 7 years ago

@zimbatm that would be quite interesting. Especially how that could work together with NixOps.

We'd need:

  1. Generic mechanism to facilitate generating secrets .
  2. A way to expose how a secret must be created from a service.
  3. Make it possible for NixOps to manage those secrets (generating them on the deploying machine, then storing them in the statefile and on the necessary machines).

Your mkSecret function could be extended to take a nixpkgs provided method or generic command.

{  
  s1 = mkSecret {  owner = "nginx"; method = "sha256"; };
  secretGeneratorProgram = stdenv.mkDerivation { /* ... */ };
  s2 = mkSecret { owner = "nginx"; command = "${secretGeneratorProgram}/bin/gen > $out"; };
}
joepie91 commented 7 years ago

Relevant nixops thread: NixOS/nixops#627

rvl commented 7 years ago
  1. Would anyone like to review my module PR #24366.
  2. If anyone has a module listed here and no time to fix it, I could do a couple.
basvandijk commented 7 years ago
  1. Would anyone like to review my module PR #24366.

LGTM (but I haven't tested it).

  1. If anyone has a module listed here and no time to fix it, I could do a couple.

That would be much appreciated. Thanks @rvl!

schneefux commented 7 years ago

If anyone has a module listed here and no time to fix it, I could do a couple.

Can you take a look at gogs' database configuration? Thanks 😃

ip1981 commented 7 years ago

I'd like to think of keys/passwords as of the data, not the code (which is in Nix store). I'm handling secrets on top of existing facilities with https://github.com/ip1981/nixsap/blob/master/modules/deployment/keyrings.nix

domenkozar commented 6 years ago

@basvandijk in your 5 you have:

$(cat "${cfg.passwordFile}")

if cfg.passwordFile type is set to types.path and someone specifies a path instead of string, it would still get pulled into nix store.

I propose we create a type called types.nonStorePath that can be set to path or string, but the resolved value would be a string that's not in nix store.

mbrgm commented 6 years ago

I propose we create a type called types.nonStorePath that can be set to path or string, but the resolved value would be a string that's not in nix store.

I like that idea. Sounds pragmatic and easy to understand (don't know about the implementation part though). Anyway, I think any solution to the problem would be welcome to most people. Imho secret management is one of NixOS' major weaknesses in practice.

domenkozar commented 6 years ago

Groundwork is in https://github.com/NixOS/nixpkgs/pull/31715

domenkozar commented 6 years ago

Implementation shouldn't be too difficult. I think we should have three types:

Note: types.package means a derivation path, but not a path within it.

CMCDragonkai commented 6 years ago

Suppose there are secrets that are only needed during the evaluation of configuration.nix (such as secrets required to download a particular package or install a particular package), then this can be done by passing in variables during invocation. Then there are secrets that are needed all the time by the services (and these have to be the plain text secret), then this would mean that these secrets exist as plain text on the filesystem. Is there a solution that allows the secrets to still be encrypted on disk, while the nixos system can still access them only when needed (possibly decrypting on the fly with an in-memory key).

basvandijk commented 6 years ago

@domenkozar I like having those types.

However, setting the type of passwordFile to nonStorePath does mean we can't have backwards compatibility as described in point 3.

Profpatsch commented 6 years ago

However, setting the type of passwordFile to nonStorePath does mean we can't have backwards compatibility as described in point 3.

How about just breaking it? As long as it’s not causing stuff to fail silently, that should be very much appropriate for a bad security issue like passwords in the store. For stable users this will hit in the next release with a big notice. Unstable users will have to adjust, but that’s what they’re in for.

domenkozar commented 6 years ago

@basvandijk I think for sake of security we can change it to path and it will report an error. It will force the user to rethink how to set the passwords, which is a good thing.

ip1981 commented 6 years ago

Software already sucks too much :) IOW, let's keep it simple. You need a key somewhere anyway outside the Nix store.

mguentner commented 6 years ago

@volth 

"We can solve any problem by introducing an extra level of indirection." -- Andrew Koenig

I am reminding people discussing this issue to reflect and meditate on the root issue that is causing this problem/concern. Encryption should not be used for fixing architectural flaws.

What are the assumptions of the nix store? What additional assumption should there be? Please read my original rant on this topic.

ip1981 commented 6 years ago

How is storing secrets in the nix store different from hardcoding them into the binary? Or a library used by the binary? No difference to me.

mguentner commented 6 years ago

@volth Your problem is just a different manifestation of an architectural flaw.

I solution I came up with: The /nix/store of an OS using Nix (e.g. NixOS) could check if the file / path requested is allowed for the caller environment, container or user. The store would be mounted using e.g. fuse or a custom kernel module which communicates with the nix daemon. This would fix the information leak once an for all. Of course, a binary cache would still serve your plaintext files.

To supply secrets to a machine, I think that the method nixops send-keys demonstrates is perfect for online machines (VPS, Server etc.). For offsite, embedded, "install and forget" machines this could also be made permanent by doing scp -R secrets_of_machine machine:/etc/secrets and then on the machine creating a bootup systemd unit with cp -r /etc/secrets/ /run

edolstra commented 6 years ago

@volth Regarding encryption, see https://github.com/NixOS/rfcs/pull/5.

Profpatsch commented 6 years ago

@volth @mguentner Another possible solution is to write configs with “holes”, by writing a template with interpolated variables where the passwords should be, e.g. in https://dhall-lang.org. Then you have a principled way to “fill in the holes” before giving the config to a process.

zimbatm commented 6 years ago

Secrets are traditionally very static and it's easy to think that they are configuration. I would like to argue that they should be treated as state instead.

Ideally we want to be in a place where they can be rotated dynamically with for example HashiCorp Vault. When there is a breach we want to be able to quickly rotate the keys. And during the investigation is helps if each machine has a unique key to figure out where the attack was coming from. It also discourages having the secrets stored in git since they are comming from another place. The nixops user should only have one secret, how to access HashiCorp Vault (and maybe a SSH key).

In that regard I think this initiative makes sense. Encourage upstream to provide paths to secrets instead of embedding them in configuration. And when not possible, generate the config at runtime with a template. At some point we'll figure out how to source those secrets from other places than the filesystem.

Shados commented 6 years ago

@Profpatsch @zimbatm not all secrets are configuration and state, however. You may not want to have your system-wide config be effectively traceable by everyone -- security through obscurity does not do any good on its own, but that doesn't mean it isn't useful. You may very well want to keep source files or actual package derivations hidden from most users in a mixed public/private environment, if they are proprietary in nature.

Nix is based on the idea of 'deployment as memory management', but it is memory management as seen purely from a language or application perspective, with nothing from an OS perspective, where isolation and protection are the norm. This is perhaps an oversight.

7c6f434c commented 6 years ago

@Shados maybe your case is better handled by running different things in different namespaces with only the allowed paths bind-mounted from the global store. In the OS RAM management terms, let the main store be like physical RAM and give the programs page tables according to their needs/access level.

zimbatm commented 6 years ago

@Shados these approaches are not mutually exclusive, even if paths are configurable it's still possible to point into the /nix/store. The difference is that path extractions is something we can do today without any changes to the nix language or runtime.

In Nix 2.0 and Linux it's also possible to maintain your own private nix store by passing the --store ~/your-store.

CMCDragonkai commented 6 years ago

@zimbatm About your last comment about nix 2.0, can you provide an example of how you use that to manage secrets from a private nix store?

ob7 commented 6 years ago

So if someone puts a password in plain text in a .nix file, that password gets uploaded to somewhere online that could be accessed by anyone?

srhb commented 6 years ago

@ob7 "World readable" in this sense means that any user on your system can read the file. It does not mean that files included in the nix store are somehow uploaded elsewhere.