chmod of keys can occur before group is created. #362
Comments
|
The problem is that in activate_configs(...) the keys are send The solution is probably to take the user and group configuration from the new configuration and only activate that part, then send the keys and finally activate the full new configuration. |
This is a WIP patch and is not working yet. This is an attemt to fix NixOS#362. This allows deploying the keys without adding the user accounts first. I get the following error: myMachine......................> uploading key ‘test’... myMachine......................> error: 'uid'
|
Another idea I have is to set the key owner using the UID and GID instead of the user name and group name which doesn't require the user and group accounts to be installed. |
Previously the owner of the uploaded key would be set to the specified user name and group name. However, when the configuration which defines this user and group is not yet activated the chown operation will fail. What we now do instead is set the owner of the key using the UID and GID computed from the configuration. This does enable a small attack window after the chown UID:GID and before the activation of the new configuration which adds the new user and group. If there's an existing user or group with the specified UID or GID respectively he might be able to read the key during that window.
Previously the owner of the uploaded key would be set to the specified user name and group name. However, when the configuration which defines this user and group is not yet activated the chown operation will fail. What we now do instead is set the owner of the key using the UID and GID computed from the configuration. This does enable a small attack window after the chown UID:GID and before the activation of the new configuration which adds the new user and group. If there's an existing user or group with the specified UID or GID respectively he might be able to read the key during that window.
|
I've created a pull request which fixes this. |
|
@aszlig had the following idea in #369 to fix this issue:
|
|
I also just ran into this issue. Looking forward to a fix! |
|
Yeah, this is a massive pain when setting up new servers or services as instead of a single-step process I now have to edit my config to not set the group, deploy then revert the config and deploy a second time. |
Instead of chowning keys to their user/group every time they are sent, only attempt the chown during send-keys if the user and group both exist, and again do a chown during activation after the users and groups have been created. One result is that if a key and its user and/or group are to be created in the same `nixops deploy`, the key will first be uploaded and owned by root:root, then chmod'd, then late in activation the key will be chowned to the newly created user/group. This includes a node's first deploy, when it has neither keys nor users/groups. Another result is that between send-keys and the next deploy (often, but not necessarily, in the same `nixops deploy`), a key may have its permissions set as configured, but _not_ be owned by the configured user/group (instead root:root), which is presumed safe. fixes NixOS#362, fixes NixOS#232
Instead of chowning keys to their user/group every time they are sent, only attempt the chown during send-keys if the user and group both exist, and again do a chown during activation after the users and groups have been created. One result is that if a key and its user and/or group are to be created in the same `nixops deploy`, the key will first be uploaded and owned by root:root, then chmod'd, then late in activation the key will be chowned to the newly created user/group. This includes a node's first deploy, when it has neither keys nor users/groups. Another result is that between send-keys and the next deploy (often, but not necessarily, in the same `nixops deploy`), a key may have its permissions set as configured, but _not_ be owned by the configured user/group (instead root:root), which is presumed safe. fixes NixOS#362, fixes NixOS#232
|
I use IDs instead of names |
|
See #400 |
Instead of chowning keys to their user/group every time they are sent, only attempt the chown during send-keys if the user and group both exist, and again do a chown during activation after the users and groups have been created. One result is that if a key and its user and/or group are to be created in the same `nixops deploy`, the key will first be uploaded and owned by root:root, then chmod'd, then late in activation the key will be chowned to the newly created user/group. This includes a node's first deploy, when it has neither keys nor users/groups. Another result is that between send-keys and the next deploy (often, but not necessarily, in the same `nixops deploy`), a key may have its permissions set as configured, but _not_ be owned by the configured user/group (instead root:root), which is presumed safe. fixes NixOS#362, fixes NixOS#232
Occasionally when provisioning a new node I get the following error:
This can be worked around by:
The text was updated successfully, but these errors were encountered: