search

pinpox / lollypops

Lollypop Operations - NixOS Deployment Tool
https://pinpox.github.io/lollypops/
GNU General Public License v3.0
118 stars 17 forks source link

User-owned secrets cannot be read in default-dir #21

Closed troyfigiel closed 8 months ago

troyfigiel commented 1 year ago

I deploy my configuration through ssh as root and use the default-dir (/var/src/lollypops-secrets/) to hold secrets owned by other users. For example

lollypops.secrets.files."user-secret" = {
  owner = "user-name";
  group-name = "user-group";
}

In this case, "user-name" does not have permission to read the secret due to the following lines of source code in flake.nix:

# Create parent directory if it does not exist
''
{{.REMOTE_COMMAND}} {{.REMOTE_OPTS}} {{.REMOTE_USER}}@{{.REMOTE_HOST}}'${optionalString useSudo "{{.REMOTE_SUDO_COMMAND}} {{.REMOTE_SUDO_OPTS}} "} install -d -m 700 "$(dirname ${path})"'                                    ''
''

This causes the /var/src/lollypops-secrets/ directory to be set to mode 700 and owned by root, meaning the user "user-name" does not have the right permissions to read "user-secret" anymore.

In my own fork I simply replaced the 700 mode by 755 and everything works fine. It might be worth discussing what the correct way is though, since 755 permissions are fine for my use case, but probably too loose in general.

You could potentially create a directory per user, i.e. /var/src/lollypops-secrets/user-name/user-secret with the user-name directory owned by user-name:user-group and mode 755 or 711 on /var/src/lollypops-secrets/ only, so it can still be traversed, but other users cannot see the contents of /var/src/lollypops-secrets/user-name/.

I would be happy to create a PR if it's clear what would be the best solution.

pinpox commented 11 months ago

Yes, currently the permissions are set very strict and it's left up to the user to place the secrets manually where they can be read by more users if so desired.

I'm not sure what a better default would be, since there might be cases where secrets are nested. If you have a better solution than the current default, let me know.

troyfigiel commented 11 months ago

I used sops-nix before, which uses a group called keys. Any service or process that needs to read a secret, will need to be part of that group. I don't recall how sops-nix handles nested secrets, but I assume it should be possible to simply change the ownership of every directory under /var/src/lollypops-secrets to root:keys. This would allow any user to still read secrets in any arbitrarily nested directory structure.

Would that be a reasonable solution?

pinpox commented 10 months ago

Sure, that seems resonable! I thinking if it would be possible or make sense to make this change optional. How would this impact existing deployments? If we merge this as a new default and this is a breaking change, there should probably be instructions on how to migrate

troyfigiel commented 10 months ago

I agree, maintaining backward compatibility is my goal. I will create a PR and check how things run for me locally. I might be missing a use case, so it would be good to have a second pair of eyes looking over it.

In any case, thanks for the library :) Its simplicity is a breath of fresh air in the deployment space

pinpox commented 9 months ago

Any updates on this?

troyfigiel commented 9 months ago

Good that you remind me! I had a look and it's actually quite a bit simpler than I expected. See the PR (#25). Let me know what you think

pinpox commented 8 months ago

Fixed by #25