-
-
Notifications
You must be signed in to change notification settings - Fork 13.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GitLab (and few others) use nix store to keep passwords #18881
Comments
You might want to read through this: NixOS/nix#8 |
@knedlsepp I know this, but it has 4 years, and it can take another while before this will be implemented. I'm interested more about doing something now. |
I use paths to secrets at the moment, which works for containers too. Interestingly, there's no way to add files to the initramfs without putting it in store. Perhaps a topic for another issue, but a hook to copy stuff in to an initramfs when installing the bootloader seems like a good idea. |
I am working on a patch to fix this for gitlab. I use nixops to deploy https://arianvp.me/ and because I think it's good for people as a learning resource, the entire thing is out in the open on github http://github.com/arianvp/arianvp.me I use nixops secret management to provision secrets, as can seen here: https://github.com/arianvp/arianvp.me/blob/master/arianvp.me/services/nginx.nix#L15 However, currently gitlab module does not support reading secrets from file, but only from the nix expressions. Of course, all my nix expressions are open source, and I should not store secrets in git. So I'm working on a patch that makes it possible to just specify the location of gitlabs |
This is a breaking change though, as it would break existing gitlab installs. Howabouts would I communicate that clearly? |
@arianvp there is a function in nix which inform people about deprecated stuff. I'm not sure if there are any rules for nixos to keep compatibility between versions. Less intrusive way of doing that would be to support two ways for one release and show deprecation message to people using function I mentioned (IMHO, probably someone from the core team could comment how to do that better). |
@arianvp Looks interesting. Ping me if you need help. |
More rather interesting modules that leak a lot of information to the 0444/0555 /nix/store 🙈 🙉 🙊
|
@mguentner cjdns is actually an example of a service that does not leak lots of secrets into the store ... it could easily be extended to also read the list of authorized password hashes at run-time as well, if reversing them was considered trivial (if you can demonstrate that, please file a bug). (EDIT: I certainly hope they are hashes, at any rate, if not that'd be kind of awful ...) |
cjdns is actually an example of a service that does not leak lots of
secrets into the store
cjdns module does write authorizedPasswords and password options into
nix store as world readable plain text. These are no hashes but actual
passwords. If somebody gets hold of the password, he gets access to
that network.
it could easily be extended to also read the list of authorized
password hashes at run-time as well, if reversing them was considered
trivial (if you can demonstrate that, please file a bug).
Why do you think that those passwords are hashes?
|
@tohl I had assumed they were ... obviously I was wrong :) |
NixOS is great but the filesystem design is inherently flawed. It completely undermines any security gained by having ACLs on filesystem nodes. It is doing that while making dangerous assumptions (i.e. all my config files can be public - 444/555!) and because at the time of writing (the idea of Nix dates back to 2003!), Linux had no other means of deduplicating content other than symlinks. In the long run filesystems that support deduplication should be used (ZFS, btrfs, XFS, have I missed something?) or even writing something like a systemFS/NixFS that manages ACLs by user/pid/environment/context (think NSALinux with a fixed state) is thinkable. By moving high-value information out of the store, not all problems are solved yet. Since, by reading the nix-store alone, you know the whole system config (maybe sans the passwords/keys), plus the environment (other machines, routings, IPs). However, this is not an easy task since it challenges one of the core elements of Nix(OS): the Store...and thus a lot of other concepts should be checked before hacking a intermediate solution. Although NixOS relies currently on systemd, security should not completely forgotten. @joachifm Great. Thanks for creating an issue. |
FYI, there is also an attempt to manage secrets in the openstack modules https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/virtualisation/openstack/common.nix#L24. |
Added extra config options to allow reading passwords from file rather than the world-readable nix store. The full config.json file is created at service startup. Relevant to NixOS#18881
Added extra config options to allow reading passwords from file rather than the world-readable nix store. The full config.json file is created at service startup. Relevant to #18881
„Provide options for storing secrets outside the Nix store:“ #24288 collects all affected packages, tracks progress and provides information on how to do the transition for storing secrets outside of the nix store. |
For gitlab the PR that fixes this is in https://github.com/NixOS/nixpkgs/pull/31358/files and general issue for going on is in #24288 Closing. |
Added extra config options to allow reading passwords from file rather than the world-readable nix store. The full config.json file is created at service startup. Relevant to NixOS#18881 (cherry picked from commit f488b18)
Issue description
As far as I understand, all of those settings
nixpkgs/nixos/modules/services/misc/gitlab.nix
Line 335 in e330807
Steps to reproduce
services.gitlab.enable=true
)Should we have clear way to handle that?
Personally for own services I use paths to files with secrets (deployed usually with nixops, so it integrates nicely).
Should choose some clear way to define secrets like that and update the docs?
Technical details
The text was updated successfully, but these errors were encountered: