Open basvandijk opened 7 years ago
FYI, check out how I handle secrets throughout all the apps here: https://github.com/ip1981/nixsap/tree/master/modules/apps
Especially, with Jenkins :)
I suspect @fpletz is now the maintainer for gitlab (sorry, I see you'r name is in this list a lot!)
Wow, I didn't know the situation was this bad. All of these options should be removed really. It's almost as if people don't realize that the Nix store is world readable...
@basvandijk — any plan for preventing future changes adding secrets to the Nix store, beyond eternal vigilance?
Hmm, I didn't re-read https://github.com/NixOS/nix/issues/8 completely, but it seemed to me last time that @edolstra 's solution using encryption in the store and decryption at startup time was working and there was mostly bikeshedding about encryption vs ACLs?
This would be much easier than trying to patch every single upstream program that does not accept password files, especially given that some may not be willing to do it as it adds quite a bit of complexity. Wouldn't it?
Besides being quite inconvenient, storing passwords/keys in a file with restricted access outside the store, may not solve the problem: they could end up in a systemd environment file or a unit file if you need to pass those as an command line argument. Also expecting everyone upstream to comply seems incredibly too optimistic for me.
any plan for preventing future changes adding secrets to the Nix store, beyond eternal vigilance?
@jml we could add something to the PULL_REQUEST_TEMPLATE.md instructing contributors to use passwordFile
instead of password
options.
All of these options should be removed really...
@edolstra we could do that eventually but to ease the transition we should first provide a backwards compatible passwordFile
option, then in a next release we could start throwing warnings when users use the password
option and finally in a third release we can remove the password
options.
@Ekleog regarding https://github.com/NixOS/nix/issues/8, even if we have the ability to encrypt files in the Nix store I think it would be best to only encrypt files that should be encrypted. Currently we have big config files that somewhere contain a password. It would nicer if the config file remains unencrypted because then it can be shared and it makes debugging easier. Only the password needs to be encrypted. So having passwords in individual files would still be desirable.
@basvandijk The encryption stuff allows you to encrypt only the "secret" parts of a configuration file. See https://github.com/edolstra/nixpkgs/commit/4c8212069429bf9fb959e00ce8d9345ac7cb7ff0#diff-6c3fcb531890fdce200531b9ac69e4f8R14 for an example.
@basvandijk Sometimes even the password stored in the configuration file needs to be readable. dnschain, for example, parses namecoin.conf to connect to the rpc server.
@rnhmjoj lets see how upstream reacts to a request for a rpcpasswordFile
parameter...
The encryption stuff allows you to encrypt only the "secret" parts of a configuration file.
@edolstra that's great! What needs to be done to get this merged into Nix?
Well, it's not clear whether this is the way to go. @kevincox listed the issues here: https://github.com/NixOS/nix/issues/8#issuecomment-265256236
@rnhmjoj regarding namecoind
, would cookie based authentication work?
Besides being quite inconvenient, storing passwords/keys in a file with restricted access outside the store, may not solve the problem: they could end up in a systemd environment file or a unit file if you need to pass those as an command line argument.
@rnhmjoj regarding secrets in systemd unit files, we can always create a wrapper script that cats the password file and passes that on to the original script. I do something similar here.
@basvandijk Regarding upstream changes for password file options: I think some cat
/sed
trickery, maybe creating a config file in /run
from a template should also do the job for most cases where upstream doesn't have or doesn't want to add a password file, shouldn't it?
@mbrgm sure and we should do that in case upstream doesn't provide a password file option.
@basvandijk I would not tick the package until the PR is merged.
@basvandijk That seems a valid alternative for authenticating to namecoind however dnschain does not support it, so it would break the service. Anyway, thank you for opening the issue.
I would not tick the package until the PR is merged.
@rasendubi makes sense. I've unticked the wordpress checkbox.
Well for aiccu; SixXS is closing down its IPv6 tunnel in June so it doesn't seem worth the effort to create a patch for aiccu to support password files. Lets just remove the service in 0606.
Nix encryption is going to take a while to get there given nix's release history speed. I don't think it should be a blocker for trying alternative implementations.
On the nixpkgs side, the protection would be based on unix file ACL. How about treating secrets like any other state? We could introduce a "mkState" interface that defines any kind of state reference on the filesystem.
let
postgresState = mkState {
type = "directory";
name = "postgres";
owner = "postgres";
group = "postgres";
mode = "0700";
mustExist = false;
# run a command if it's missing
onMissing = "pg_init";
};
assert (toString postgresState) == "/var/lib/postgres";
# mkSecret is a specialization of mkState with a default dir to /run/keys/${name}, mode = 0700 and mustExist = true
nginxSecret = mkSecret {
owner = "nginx";
};
This would translate to (1) some activation script actions like creating the state dir (2) systemd service to initialize and/or check the secret, which can then be used as a dependency for other services.
I know it's still pretty vague but hopefully enough to convey the idea.
@zimbatm that would be quite interesting. Especially how that could work together with NixOps.
We'd need:
Your mkSecret
function could be extended to take a nixpkgs provided method
or generic command
.
{
s1 = mkSecret { owner = "nginx"; method = "sha256"; };
secretGeneratorProgram = stdenv.mkDerivation { /* ... */ };
s2 = mkSecret { owner = "nginx"; command = "${secretGeneratorProgram}/bin/gen > $out"; };
}
Relevant nixops thread: NixOS/nixops#627
- Would anyone like to review my module PR #24366.
LGTM (but I haven't tested it).
- If anyone has a module listed here and no time to fix it, I could do a couple.
That would be much appreciated. Thanks @rvl!
If anyone has a module listed here and no time to fix it, I could do a couple.
Can you take a look at gogs' database configuration? Thanks 😃
I'd like to think of keys/passwords as of the data, not the code (which is in Nix store). I'm handling secrets on top of existing facilities with https://github.com/ip1981/nixsap/blob/master/modules/deployment/keyrings.nix
@basvandijk in your 5 you have:
$(cat "${cfg.passwordFile}")
if cfg.passwordFile type is set to types.path
and someone specifies a path instead of string, it would still get pulled into nix store.
I propose we create a type called types.nonStorePath
that can be set to path or string, but the resolved value would be a string that's not in nix store.
I propose we create a type called types.nonStorePath that can be set to path or string, but the resolved value would be a string that's not in nix store.
I like that idea. Sounds pragmatic and easy to understand (don't know about the implementation part though). Anyway, I think any solution to the problem would be welcome to most people. Imho secret management is one of NixOS' major weaknesses in practice.
Groundwork is in https://github.com/NixOS/nixpkgs/pull/31715
Implementation shouldn't be too difficult. I think we should have three types:
path
: any kind of absolute pathnonStorePath
: path that must NOT be in nix storestorePath
: path that must be in nix storeNote: types.package
means a derivation path, but not a path within it.
Suppose there are secrets that are only needed during the evaluation of configuration.nix (such as secrets required to download a particular package or install a particular package), then this can be done by passing in variables during invocation. Then there are secrets that are needed all the time by the services (and these have to be the plain text secret), then this would mean that these secrets exist as plain text on the filesystem. Is there a solution that allows the secrets to still be encrypted on disk, while the nixos system can still access them only when needed (possibly decrypting on the fly with an in-memory key).
@domenkozar I like having those types.
However, setting the type of passwordFile
to nonStorePath
does mean we can't have backwards compatibility as described in point 3.
However, setting the type of passwordFile to nonStorePath does mean we can't have backwards compatibility as described in point 3.
How about just breaking it? As long as it’s not causing stuff to fail silently, that should be very much appropriate for a bad security issue like passwords in the store. For stable users this will hit in the next release with a big notice. Unstable users will have to adjust, but that’s what they’re in for.
@basvandijk I think for sake of security we can change it to path and it will report an error. It will force the user to rethink how to set the passwords, which is a good thing.
Software already sucks too much :) IOW, let's keep it simple. You need a key somewhere anyway outside the Nix store.
@volth
"We can solve any problem by introducing an extra level of indirection." -- Andrew Koenig
I am reminding people discussing this issue to reflect and meditate on the root issue that is causing this problem/concern. Encryption should not be used for fixing architectural flaws.
What are the assumptions of the nix store? What additional assumption should there be? Please read my original rant on this topic.
How is storing secrets in the nix store different from hardcoding them into the binary? Or a library used by the binary? No difference to me.
@volth Your problem is just a different manifestation of an architectural flaw.
I solution I came up with: The /nix/store of an OS using Nix (e.g. NixOS) could check if the file / path requested is allowed for the caller environment, container or user. The store would be mounted using e.g. fuse or a custom kernel module which communicates with the nix daemon. This would fix the information leak once an for all. Of course, a binary cache would still serve your plaintext files.
To supply secrets to a machine, I think that the method nixops send-keys
demonstrates is perfect for online machines (VPS, Server etc.). For offsite, embedded, "install and forget" machines this could also be made permanent by doing scp -R secrets_of_machine machine:/etc/secrets
and then on the machine creating a bootup systemd unit with cp -r /etc/secrets/ /run
@volth Regarding encryption, see https://github.com/NixOS/rfcs/pull/5.
@volth @mguentner Another possible solution is to write configs with “holes”, by writing a template with interpolated variables where the passwords should be, e.g. in https://dhall-lang.org. Then you have a principled way to “fill in the holes” before giving the config to a process.
Secrets are traditionally very static and it's easy to think that they are configuration. I would like to argue that they should be treated as state instead.
Ideally we want to be in a place where they can be rotated dynamically with for example HashiCorp Vault. When there is a breach we want to be able to quickly rotate the keys. And during the investigation is helps if each machine has a unique key to figure out where the attack was coming from. It also discourages having the secrets stored in git since they are comming from another place. The nixops user should only have one secret, how to access HashiCorp Vault (and maybe a SSH key).
In that regard I think this initiative makes sense. Encourage upstream to provide paths to secrets instead of embedding them in configuration. And when not possible, generate the config at runtime with a template. At some point we'll figure out how to source those secrets from other places than the filesystem.
@Profpatsch @zimbatm not all secrets are configuration and state, however. You may not want to have your system-wide config be effectively traceable by everyone -- security through obscurity does not do any good on its own, but that doesn't mean it isn't useful. You may very well want to keep source files or actual package derivations hidden from most users in a mixed public/private environment, if they are proprietary in nature.
Nix is based on the idea of 'deployment as memory management', but it is memory management as seen purely from a language or application perspective, with nothing from an OS perspective, where isolation and protection are the norm. This is perhaps an oversight.
@Shados maybe your case is better handled by running different things in different namespaces with only the allowed paths bind-mounted from the global store. In the OS RAM management terms, let the main store be like physical RAM and give the programs page tables according to their needs/access level.
@Shados these approaches are not mutually exclusive, even if paths are configurable it's still possible to point into the /nix/store. The difference is that path extractions is something we can do today without any changes to the nix language or runtime.
In Nix 2.0 and Linux it's also possible to maintain your own private nix store by passing the --store ~/your-store
.
@zimbatm About your last comment about nix 2.0, can you provide an example of how you use that to manage secrets from a private nix store?
So if someone puts a password in plain text in a .nix file, that password gets uploaded to somewhere online that could be accessed by anyone?
@ob7 "World readable" in this sense means that any user on your system can read the file. It does not mean that files included in the nix store are somehow uploaded elsewhere.
Introduction
Dear module authors and maintainers,
We currently have many modules that force users to store their secrets in the world-readble Nix store. This is bad for security. We should give users the option of specifying their secrets in individual files which can be stored outside the Nix store with suitable ownership and permissions. Users could then also use
nixops
to manage their secret files.There's still the convenient but unsafe option of storing the secret file in the Nix store using
pkgs.writeTextFile
. If https://github.com/NixOS/nix/issues/8 gets resolved these files can be encrypted / made private. Also see: https://github.com/NixOS/rfcs/pull/5.Proposal
The list below contains all the options that force a secret being stored in the Nix store. I propose the following:
Each option should get a warning in the documentation of the form: "Warning: this secret is stored in the world-readable Nix store!"
Each option should get an alternative
passwordFile
option.For backwards compatibility the
passwordFile
option should get a default based on thepassword
option:Some upstream programs don't support setting a password using a file. In that case an issue should be created in the upstream issue-tracker asking for that feature. (See https://github.com/namecoin/namecoin-core/issues/148 for example). A URL to the issue should be placed in the list below and in the documentation of the
password
option so that it's easier to track when it gets resolved.If after some time (lets use September 2017 for now) the upstream developers have not provided the feature to specify the password by file, the NixOS module should be changed such that the config file that contains the password is written to
/run
before the service starts up. So something like the following:Lets use this issue for planning and to track progress. Please mention in the comments if you have provided a
passwordFile
option for one of the options below. Then I check the box to indicate it has been resolved. See PR https://github.com/NixOS/nixpkgs/pull/24146 for reference.If we make sure the new options are backwards compatible we could consider cherry-picking them onto
release-17.03
making sure users get these security fixes ASAP.Secret options
[x]
basicAuth
nixos/modules/services/web-servers/nginx/vhost-options.nix#L118 @globin[x]
networking.defaultMailServer.authPass
nixos/modules/programs/ssmtp.nix#L92 PR: https://github.com/NixOS/nixpkgs/pull/24331[x]
networking.wireless.networks.*.psk
nixos/modules/services/networking/wpa_supplicant.nix#L49 @edolstra[x]
security.duosec.skey
nixos/modules/security/duosec.nix#L59 @thoughtpolice[x]
services.aiccu.password
nixos/modules/services/networking/aiccu.nix#L48@edwtjo mentions: SixXS is closing down its IPv6 tunnel in June so it doesn't seem worth the effort to create a patch for aiccu to support password files. Lets just remove the service in 0606.[ ]
services.almir.director_password
nixos/modules/services/backup/almir.nix#L129 @domenkozar[ ]
services.bacula-dir.password
nixos/modules/services/backup/bacula.nix#L313 @domenkozar Feature request for a PasswordFile parameter[ ]
services.bacula-[fd|sd].director.*.password
nixos/modules/services/backup/bacula.nix#L114 @domenkozar See the feature request above.[x]
services.bepasty.servers.*.secretKey
nixos/modules/services/misc/bepasty.nix#L72 @makefu PR: https://github.com/NixOS/nixpkgs/pull/24755[ ]
services.btsync.httpPass
nixos/modules/services/networking/btsync.nix#L175 @thoughtpolice[x]
services.buildbot-worker.workerPass
nixos/modules/services/continuous-integration/buildbot/worker.nix#L56 @nand0p[x]
services.cadvisor.storageDriverPassword
nixos/modules/services/monitoring/cadvisor.nix#L54 @offlinehacker PR: https://github.com/NixOS/nixpkgs/pull/24341[ ]
services.cassandra.keyStorePassword
nixos/modules/services/databases/cassandra.nix#L236 @cransom See: https://issues.apache.org/jira/browse/CASSANDRA-13428[ ]
services.cassandra.trustStorePassword
nixos/modules/services/databases/cassandra.nix#L241 @cransom See: https://issues.apache.org/jira/browse/CASSANDRA-13428[ ]
services.cgminer.pools.*.password
nixos/modules/services/misc/cgminer.nix#L60 @offlinehacker[ ]
services.cjdns.authorizedPasswords
nixos/modules/services/networking/cjdns.nix#L103 @ehmry[x]
services.cfdyndns.apikey
nixos/modules/services/misc/cfdyndns.nix#L20 @colemickens[x]
services.coturn.cli-password
nixos/modules/services/networking/coturn.nix#L249 @Ralith[x]
services.coturn.static-auth-secret
nixos/modules/services/networking/coturn.nix#L174 @Ralith[ ]
services.cpuminer-cryptonight.pass
nixos/modules/services/misc/cpuminer-cryptonight.nix#L38 @ehmry[x]
services.crowd.openidPassword
nixos/modules/services/web-apps/atlassian/crowd.nix#L53 @fpletz @globin[x]
services.dd-agent.api_key
nixos/modules/services/monitoring/dd-agent.nix#L112 @shlevy[ ]
services.ddclient.password
nixos/modules/services/networking/ddclient.nix#L47 @rbvermaa[ ]
services.factorio.game-password
nixos/modules/services/games/factorio.nix#L144 @elitak[ ]
services.factorio.password
nixos/modules/services/games/factorio.nix#L130 @elitak[ ]
services.frab.secretKeyBas
nixos/modules/services/web-apps/frab.nix#L118 @fpletz[ ]
services.gammu-smsd.backend.sql.password
nixos/modules/services/misc/gammu-smsd.nix#L192 @zohl[x]
services.gitlab.databasePassword
nixos/modules/services/misc/gitlab.nix#L203 @fpletz @offlinehacker PR: #31358[x]
services.gitlab.secrets.secret
nixos/modules/services/misc/gitlab.nix#L326 @fpletz @offlinehacker PR: #31358[x]
services.gitlab.smtp.password
nixos/modules/services/misc/gitlab.nix#L295 @fpletz @offlinehacker[x]
services.gogs.database.password
nixos/modules/services/misc/gogs.nix#L102 @schneefux PR: https://github.com/NixOS/nixpkgs/pull/25116[x]
services.grafana.database.password
nixos/modules/services/monitoring/grafana.nix#L137 @offlinehacker[x]
services.grafana.security.adminPassword
nixos/modules/services/monitoring/grafana.nix#L157 @offlinehacker[x]
services.grafana.security.secretKey
nixos/modules/services/monitoring/grafana.nix#L163 @offlinehacker[ ]
services.graylog.passwordSecret
nixos/modules/services/logging/graylog.nix#L68 @fadenb[ ]
services.graylog.rootPasswordSha2
nixos/modules/services/logging/graylog.nix#L82 @fadenb[ ]
services.hologram-server.ldapBindPassword
nixos/modules/services/security/hologram-server.nix#L68 @nand0p[x]
services.hostapd.wpaPassphrase
nixos/modules/services/networking/hostapd.nix#L124[x]
services.httpd.extraSubservices..."limesurvey"...adminPassword
nixos/modules/services/web-servers/apache-httpd/limesurvey.nix#L143 @offlinehacker[x]
services.httpd.extraSubservices..."limesurvey"...dbPassword
nixos/modules/services/web-servers/apache-httpd/limesurvey.nix#L131 @offlinehacker[x]
services.httpd.extraSubservices..."mediawiki"...dbPassword
nixos/modules/services/web-servers/apache-httpd/mediawiki.nix#L207 @shlevy @ip1981[x]
services.httpd.extraSubservices..."owncloud"...adminPassword
nixos/modules/services/web-servers/apache-httpd/owncloud.nix#L403 @matejc[x]
services.httpd.extraSubservices..."owncloud"...dbPassword
nixos/modules/services/web-servers/apache-httpd/owncloud.nix#L429 @matejc[x]
services.httpd.extraSubservices..."owncloud"...SMTPPass
nixos/modules/services/web-servers/apache-httpd/owncloud.nix#L527 @matejc[x]
services.httpd.extraSubservices..."wordpress"...dbPassword
nixos/modules/services/web-servers/apache-httpd/wordpress.nix#L138 @qknight PR: https://github.com/NixOS/nixpkgs/pull/24146[ ]
services.i2pd.proto.http.pass
nixos/modules/services/networking/i2pd.nix#L351 @edwtjo[ ]
services.icecast.admin.password
nixos/modules/services/audio/icecast.nix#L62 @k0ral[x]
services.longview.mysqlPassword
nixos/modules/services/monitoring/longview.nix#L78 @rvl PR: https://github.com/NixOS/nixpkgs/pull/24366[x]
services.matrix-synapse.macaroon_secret_key
nixos/modules/services/misc/matrix-synapse.nix#L545 @roblabla[x]
services.matrix-synapse.registration_shared_secret
nixos/modules/services/misc/matrix-synapse.nix#L453 @roblabla[x]
services.matrix-synapse.turn_shared_secret
nixos/modules/services/misc/matrix-synapse.nix#L434 @roblabla[x]
services.matrix-synapse.recaptcha_private_key
nixos/modules/services/misc/matrix-synapse.nix#L404 @roblabla[ ]
services.mattermost.localDatabasePassword
nixos/modules/services/web-apps/mattermost.nix#L108 @fpletz[x]
services.murmur.password
nixos/modules/services/networking/murmur.nix#L105 @thoughtpolice[ ]
services.mysql.replication.masterPassword
nixos/modules/services/databases/mysql.nix#L149 @edolstra[ ]
services.namecoind.rpc.password
nixos/modules/services/networking/namecoind.nix#L90 @rnhmjoj See: https://github.com/namecoin/namecoin-core/issues/148[ ]
services.nntp-proxy.upstreamPassword
nixos/modules/services/networking/nntp-proxy.nix#L99 @fadenb[ ]
services.oauth2_proxy.cookie.secret
nixos/modules/services/security/oauth2_proxy.nix#L371 @jml[ ]
services.panamax.secretKey
nixos/modules/services/cluster/panamax.nix#L63 @matejc[x]
services.prometheus.*.consul_sd_config.password
nixos/modules/services/monitoring/prometheus/default.nix#L243 @fpletz @doshitan[ ]
services.prometheus.*.scrape_config.basic_auth.password
nixos/modules/services/monitoring/prometheus/default.nix#L128 @fpletz @doshitan[ ]
services.prometheus.unifiExporter.unifiPassword
nixos/modules/services/monitoring/prometheus/unifi-exporter.nix#L45 @fpletz @doshitan[x]
services.redis.requirePass
nixos/modules/services/databases/redis.nix#L160 @offlinehacker[x]
services.redmine.databasePassword
nixos/modules/services/misc/redmine.nix#L103 @domenkozar[ ]
services.redsocks.redsocks.password
nixos/modules/services/networking/redsocks.nix#L109 @Ekleog[ ]
services.rippleDataApi.couchdb.pass
nixos/modules/services/misc/ripple-data-api.nix#L109 @offlinehacker[ ]
services.rippled.ports.*.password
nixos/modules/services/misc/rippled.nix#L114 @ehmry[ ]
services.selfoss.database.password
nixos/modules/services/web-apps/selfoss.nix#L89 @regnat[ ]
services.terraria..password
nixos/modules/services/games/terraria.nix#L50 @pshendry @garbas[ ]
services.tor.torsocks.socks5Password
nixos/modules/services/security/torsocks.nix#L89 @thoughtpolice[x]
services.tt-rss.database.password
nixos/modules/services/web-apps/tt-rss.nix#L163 @zohl[x]
services.tt-rss.email.password
nixos/modules/services/web-apps/tt-rss.nix#L291 @zohl[ ]
services.wakeonlan.interfaces.*.password
nixos/modules/services/networking/wakeonlan.nix#L32[ ]
services.yandex-disk.password
nixos/modules/services/network-filesystems/yandex-disk.nix#L38 @grwlf @7c6f434c[x]
services.zabbixServer.dbPassword
nixos/modules/services/monitoring/zabbix-server.nix#L66 @robbererThis list was compiled by running the following in
<nixpkgs>
and manually inspecting and processing the result: