Skip to content

Commit

Permalink
nixos/stunnel: Make it hard to accidentally put private keys in the N…
Browse files Browse the repository at this point in the history 
…ix store

With type.path, both of these usages are permitted:

    key = ./foo-client-key.pem;           # Bad!  Puts secret in store.
    key = "/var/lib/foo/client-key.pem";  # OK

Disallow the bad usage using types.strMatching "/.*" instead of types.path.

The server version of this probably ought to be changed also, but that
would be a breaking change.  We can change the client key type because
this commit and the commit that introduces the client key option are
in the same PR and will be merged atomically.  We keep this a separate
commit to provide a succinct concrete example of the problems described
in NixOS#24288 .
  • Loading branch information
@chkno
chkno committed Sep 21, 2020
1 parent 8dd3f77 commit cbec185
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion nixos/modules/services/networking/stunnel.nix
View file
Expand Up @@ -81,7 +81,7 @@ let
};

key = mkOption {
type = with types; nullOr path;
type = with types; nullOr (strMatching "/.*");
default = null;
description = "Client's key with which it authenticates to the server.";
};
Expand Down

0 comments on commit cbec185

Please sign in to comment.