You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The usage of users.ldap.bind.passwordFile creates an activation script that leaks the umask setting to a restricted value of 0077, spilling over to subsequent unrelated activation scripts and possibly breaking functionality.
Folder permissions created in other activation scripts get unexpectedly some reduced permissions, causing access issues. For example access to secrets created for non-root users using sops-nix.
Describe the bug
The usage of
users.ldap.bind.passwordFile
creates an activation script that leaks the umask setting to a restricted value of 0077, spilling over to subsequent unrelated activation scripts and possibly breaking functionality.Folder permissions created in other activation scripts get unexpectedly some reduced permissions, causing access issues. For example access to secrets created for non-root users using sops-nix.
Steps To Reproduce
Steps to reproduce the behavior:
github:Mic92/sops-nix
as flake input and configuresops-nix
as per guidelines at https://github.com/Mic92/sops-nixusers.ldap.enable = true
and set ausers.ldap.bind.passwordFile
to a local fileusers.ldap
settings for user authenticationnixos-rebuild switch
/etc/ldap.conf
file will be created/adjusted in theusers.ldap
activation phase/run/secrets.d/
will be created in thesops-nix
activation script/run/secrets.d/
has reduced permission as:Expected behavior
Permissions on sops secrets generation folder should be accessible in read/execute to the
keys
group and accessible in execute toothers
as follows:It was suggested here to run the activation script in a subshell so that umask setting does not affect other activation scripts.
Additional context
Reference to the global umask setting in
users.ldap
module:nixpkgs/nixos/modules/config/ldap.nix
Line 232 in 10a2d00
See also the reported issue in
sops-nix
: Mic92/sops-nix#415Notify maintainers
@ju1m @Mic92
Metadata
Please run
nix-shell -p nix-info --run "nix-info -m"
and paste the result.The text was updated successfully, but these errors were encountered: