Introduce a type for options that contain the path to a secret file

[symphorien]

Description of changes

This should avoid mistakes like passwordFile = /etc/secret; where that path is unquoted so nix copies it to the nix store and makes it public.
I converted three modules to illustrate, but if this is merged we could add many others. It will be a breaking change but for security's sake.

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 22.05 Release Notes (or backporting 21.11 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
  • (Release notes changes) Ran nixos/doc/manual/md-to-db.sh to update generated release notes
• Fits CONTRIBUTING.md.

[infinisil]

Check out #78640 as well

[symphorien]

Ahah it's embarrassing: I linked to this PR about two years ago, but then forgot about it and reimplemented it yesterday...

Anyway, what blocks it? I see a rfc mentioned but it's closed.

[pennae]

how about something simpler:

Suggested change

	type = "derivation";
	name = "secretFileMadeWorldReadable";
	outPath = "${path}";
	outputs = [ "out" ];
	out = res;
	outputName = "out";
	canBePublic = true;
	inherit path;
	__toString = r: r.path;
	canBePublic = true;

[symphorien]

I initially tried toString but then "${config.the.option}" does not work anymore, you explicitly need to use toString. This way makes the migration fully transparent.

[pennae]

odd, it seems to work fine here.

[symphorien]

indeed it works, I must have tested wrong.

[nbp]

The only thing that you can guarantee is that you can assert that the secret has already been leaked, but not prevent it from leaking.

My understanding of why this is not possible without a special builtin which does not evaluate its operand, or which provide another evaluation loop which is guaranteed to not push any secret is the following:
isString x Return true if x evaluates to a string, and false otherwise.

The evaluation of a path, is similar to a derivation, and as far as I recall submit derivation directly to the Nix daemon.

[pennae]

not quite: path copying is really lazy. paths shouldn't be copied to the store unless they are interpolated into strings, constructed through builtins.path, or copyingly coerced by plugins. (can be checked by taking a path to a large file and munging it a bit. only when it is coerced to string, eg by interpolation or taking substrings, does the copy happen)

this check looks safe as long as we can guarantee that no interpolations are evaluated before the check is, but that too might be hard to do with perfect accuracy

[symphorien]

Huh indeed the copy happens even when only evaluating builtins like builtins.hasContext... I was very surprised.

$ uuidgen > /tmp/secret
$  nix repl "<nixpkgs>"
Welcome to Nix 2.8.1. Type :? for help.

Loading '<nixpkgs>'...
Added 16461 variables.

nix-repl> a = runCommand "foo" {} "cat ${./secret} sdf" 

nix-repl> builtins.hasContext "${a}" 
true

$  rg $(cat /tmp/secret ) /nix/store --glob "*secret"
/nix/store/8gnhfxbv1zzar3pwxlmsxx8lr7876cp4-secret
1:97c31780-96ec-41b1-b8bf-a0bbbe113cb5

The check has the following property: a configuration that evaluates does not leak secrets. (well it's not true because you can trick it with "/${./secret}" but you get my point). Maybe we could tweak the error message to say that if you see the error message the secret already leaked?

[nixos-discourse]

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/low-effort-and-high-impact-tasks/21095/15