search

nix-community / trustix

Trustix: Distributed trust and reproducibility tracking for binary caches [maintainer=@adisbladis]
https://nix-community.github.io/trustix/
296 stars 19 forks source link

panic: open /var/trustix/keys/cache-private-key.pem: permission denied #36

Open davidak opened 2 years ago

davidak commented 2 years ago

Describe the bug

Again, following the documentation lead to program crash!

[root@gaming:~]# journalctl -u trustix-nix-cache.service
May 08 02:56:35 gaming systemd[1]: Started Trustix Nix binary cache daemon.
May 08 02:56:35 gaming trustix-nix[385966]: panic: open /var/trustix/keys/cache-private-key.pem: permission denied
May 08 02:56:35 gaming trustix-nix[385966]: goroutine 1 [running]:
May 08 02:56:35 gaming trustix-nix[385966]: github.com/tweag/trustix/packages/trustix-nix/cmd.readKey({0x7ffe937e9bbc, 0xe5b460})
May 08 02:56:35 gaming trustix-nix[385966]:         /build/source/cmd/binary-cache-proxy.go:70 +0x26d
May 08 02:56:35 gaming trustix-nix[385966]: github.com/tweag/trustix/packages/trustix-nix/cmd.glob..func1(0xe4ef40, {0x9c58a8, 0x2, 0x2})
May 08 02:56:35 gaming trustix-nix[385966]:         /build/source/cmd/binary-cache-proxy.go:101 +0x85
May 08 02:56:35 gaming trustix-nix[385966]: github.com/spf13/cobra.(*Command).execute(0xe4ef40, {0xc0000807e0, 0x2, 0x2})
May 08 02:56:35 gaming trustix-nix[385966]:         /build/source/vendor/github.com/spf13/cobra/command.go:850 +0x60e
May 08 02:56:35 gaming trustix-nix[385966]: github.com/spf13/cobra.(*Command).ExecuteC(0xe4f480)
May 08 02:56:35 gaming trustix-nix[385966]:         /build/source/vendor/github.com/spf13/cobra/command.go:958 +0x3ad
May 08 02:56:35 gaming trustix-nix[385966]: github.com/spf13/cobra.(*Command).Execute(...)
May 08 02:56:35 gaming trustix-nix[385966]:         /build/source/vendor/github.com/spf13/cobra/command.go:895
May 08 02:56:35 gaming trustix-nix[385966]: github.com/tweag/trustix/packages/trustix-nix/cmd.Execute()
May 08 02:56:35 gaming trustix-nix[385966]:         /build/source/cmd/root.go:61 +0x45
May 08 02:56:35 gaming trustix-nix[385966]: main.main()
May 08 02:56:35 gaming trustix-nix[385966]:         /build/source/main.go:14 +0x17
May 08 02:56:35 gaming systemd[1]: trustix-nix-cache.service: Main process exited, code=exited, status=2/INVALIDARGUMENT
May 08 02:56:35 gaming systemd[1]: trustix-nix-cache.service: Failed with result 'exit-code'.

To Reproduce

https://tweag.github.io/trustix/binarycache.html#trustix---binary-cache-setup

Expected behavior

  1. programs should never crash; rather provide meaningful error messages
  2. following the documentation should lead to working example

Environment

Additional context

Same as in https://github.com/tweag/trustix/issues/28. Auto-generate on first start if file does not exist.

davidak commented 2 years ago

Even when the files are owned by user trustix, it does not work.

Maybe related to https://github.com/tweag/trustix/issues/20 and DynamicUser?

systemctl status trustix.service
Main PID: 385967 (trustix)

systemctl status trustix-nix-cache.service
Main PID: 387607 (code=exited, status=2)

Even with 644 permission, it does not work. (also with 777)

I can read the file with my user:

[root@gaming:/var/trustix/keys]# su - davidak -c "ls /var/trustix/keys/cache-private-key.pem"
/var/trustix/keys/cache-private-key.pem

But trustix-nix-cache.service can't.

Also not in /tmp which is world-readable!

[root@gaming:~]# ll /tmp/cache-private-key.pem
-rw-r--r-- 1 root root 112 May  8 03:44 /tmp/cache-private-key.pem
May 08 03:48:47 gaming systemd[1]: Started Trustix Nix binary cache daemon.
May 08 03:48:47 gaming trustix-nix[456241]: panic: open /tmp/cache-private-key.pem: no such file or directory
May 08 03:48:47 gaming trustix-nix[456241]: goroutine 1 [running]:
May 08 03:48:47 gaming trustix-nix[456241]: github.com/tweag/trustix/packages/trustix-nix/cmd.readKey({0x7fffe4165bc9, 0xe5b460})
May 08 03:48:47 gaming trustix-nix[456241]:         /build/source/cmd/binary-cache-proxy.go:70 +0x26d
May 08 03:48:47 gaming trustix-nix[456241]: github.com/tweag/trustix/packages/trustix-nix/cmd.glob..func1(0xe4ef40, {0x9c58a8, 0x2, 0x2})
May 08 03:48:47 gaming trustix-nix[456241]:         /build/source/cmd/binary-cache-proxy.go:101 +0x85
May 08 03:48:47 gaming trustix-nix[456241]: github.com/spf13/cobra.(*Command).execute(0xe4ef40, {0xc0001b67c0, 0x2, 0x2})
May 08 03:48:47 gaming trustix-nix[456241]:         /build/source/vendor/github.com/spf13/cobra/command.go:850 +0x60e
May 08 03:48:47 gaming trustix-nix[456241]: github.com/spf13/cobra.(*Command).ExecuteC(0xe4f480)
May 08 03:48:47 gaming trustix-nix[456241]:         /build/source/vendor/github.com/spf13/cobra/command.go:958 +0x3ad
May 08 03:48:47 gaming trustix-nix[456241]: github.com/spf13/cobra.(*Command).Execute(...)
May 08 03:48:47 gaming trustix-nix[456241]:         /build/source/vendor/github.com/spf13/cobra/command.go:895
May 08 03:48:47 gaming trustix-nix[456241]: github.com/tweag/trustix/packages/trustix-nix/cmd.Execute()
May 08 03:48:47 gaming trustix-nix[456241]:         /build/source/cmd/root.go:61 +0x45
May 08 03:48:47 gaming trustix-nix[456241]: main.main()
May 08 03:48:47 gaming trustix-nix[456241]:         /build/source/main.go:14 +0x17
May 08 03:48:47 gaming systemd[1]: trustix-nix-cache.service: Main process exited, code=exited, status=2/INVALIDARGUMENT
May 08 03:48:47 gaming systemd[1]: trustix-nix-cache.service: Failed with result 'exit-code'.