Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

umask statement triggered by users.ldap.bind.passwordFile has a global impact on NixOS activation scripts #260958

Open
haskelious opened this issue Oct 13, 2023 · 0 comments
Open

umask statement triggered by users.ldap.bind.passwordFile has a global impact on NixOS activation scripts #260958

haskelious opened this issue Oct 13, 2023 · 0 comments
Labels
0.kind: bug

Comments

@haskelious
Copy link
Contributor

Describe the bug

The usage of users.ldap.bind.passwordFile creates an activation script that leaks the umask setting to a restricted value of 0077, spilling over to subsequent unrelated activation scripts and possibly breaking functionality.

Folder permissions created in other activation scripts get unexpectedly some reduced permissions, causing access issues. For example access to secrets created for non-root users using sops-nix.

Steps To Reproduce

Steps to reproduce the behavior:

  1. build a NixOS configuration based on flakes
  2. add github:Mic92/sops-nix as flake input and configure sops-nix as per guidelines at https://github.com/Mic92/sops-nix
  3. set users.ldap.enable = true and set a users.ldap.bind.passwordFile to a local file
  4. configure rest of the users.ldap settings for user authentication
  5. rebuild (and activate) the system with nixos-rebuild switch
  6. new /etc/ldap.conf file will be created/adjusted in the users.ldap activation phase
  7. a generation folder in /run/secrets.d/ will be created in the sops-nix activation script
  8. verify that permissions on sops secrets generation folder in /run/secrets.d/ has reduced permission as:
drwx------  2 root keys   0 Oct  1 18:44 31

Expected behavior

Permissions on sops secrets generation folder should be accessible in read/execute to the keys group and accessible in execute to others as follows:

drwxr-x--x  2 root keys   0 Oct  1 18:44 31

It was suggested here to run the activation script in a subshell so that umask setting does not affect other activation scripts.

Additional context

Reference to the global umask setting in users.ldap module:

nixpkgs/nixos/modules/config/ldap.nix

Line 232 in 10a2d00

umask 0077

See also the reported issue in sops-nix: Mic92/sops-nix#415

Notify maintainers

@ju1m @Mic92

Metadata

Please run nix-shell -p nix-info --run "nix-info -m" and paste the result.

[user@system:~]$ nix-shell -p nix-info --run "nix-info -m"
 - system: `"x86_64-linux"`
 - host os: `Linux 6.1.55, NixOS, 23.05 (Stoat), 23.05.20230930.32dcb45`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.17.0`
 - channels(root): `"nixos-23.05-small"`
 - nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos`
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
0.kind: bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@haskelious