[SECURITY] Change default permissions for created user directories to a secure value

[oddlama]

Many users assume that if the home directory itself uses strict permissions such as 700 or 750, the contents will also not be accessible to other users. This is usually the case on classical setups, but when using impermanence, this assumption no longer holds since the source directories will be created with very loose permissions:

https://github.com/nix-community/impermanence/blob/e3a7acd113903269a1b5c8b527e84ce7ee859851/nixos.nix#L252-L256

A simple github search for lang:nix persistence users .gnupg reveals that there already are plenty of affected setups (used wrongly in about every second result) that publicly expose access to user's private keys or session data to the system. Therefore, I believe this is a dangerous default and should ideally be changed to 700 or at least 750.

[oddlama]

Looking over this again I see that impermanence should have created the home directory in the persistent folders with 700 already: https://github.com/nix-community/impermanence/blob/e3a7acd113903269a1b5c8b527e84ce7ee859851/nixos.nix#L572-L581

Yet, for some reason mine ended up with 755. I'll have to investigate this more to see what happened.

[TheRealGramdalf]

Looking over this again I see that impermanence should have created the home directory in the persistent folders with 700 already:

I think this comes from the following lines:

https://github.com/nix-community/impermanence/blob/23c1f06316b67cb5dabdfe2973da3785cfe9c34a/nixos.nix#L569-L573

This is resulting in some issues where if you persist e.g. ~/.local/state/nix, but not ~/.local or ~/.local/state, parent directories that exist in persistent storage but not the target (i.e. local and state) will be created with owner root and permissions 755 upon reboot. Interestingly, simply doing a rebuild causes the ownership of created directories to be correct, so it's only upon reboot that permissions get set to root.

[talyz]

defaultPermissions apply to the creation of parent directories, but shouldn't affect the contents of the directories themselves, so I don't think that has anything to do with this at all. Could be a script failure, but it's hard to say with so little info available. Do you have an example config that gives this result?