NixOS modules: chmod leaves opportunity to leak secrets

[dotlambda]

touch, cp, etc. followed by chmod leaves an opportunity to leak secrets as explained in #121288. install -m does the same, but in one command. Use umask instead.
The following modules might be affected:

• nixos/modules/services/amqp/rabbitmq.nix (@binarin @edef1c @roberth) nixos/rabbitmq: prefer 'install' over 'mkdir/chmod/chown' #284117
• nixos/modules/services/monitoring/zabbix-proxy.nix and nixos/modules/services/monitoring/zabbix-server.nix (@aanderse) nixos/{zabbixServer,zabbixProxy}: prefer 'install' over 'mkdir/chmod/chown' #284122
• nixos/modules/services/continuous-integration/buildkite-agents.nix (nixos/buildkite-agents: fix race-condition when installing secrets #121667)
• nixos/modules/services/scheduling/atd.nix (nixos/atd: prefer 'install' over 'mkdir/chmod/chown' #121394)
• nixos/modules/services/games/terraria.nix (@evanjs @dasJ) nixos/terraria: prefer 'serviceConfig' over 'chmod/chgrp' #286356
• nixos/modules/services/misc/redmine.nix (@aanderse @zimbatm)
• nixos/modules/services/misc/gogs.nix (@braunse @Ekleog) nixos/gogs: prefer 'umask' over 'chmod' #286362
• nixos/modules/services/misc/gitea.nix (nixos/gitea: set umask for secret creation #121299)
• nixos/modules/services/computing/slurm/slurm.nix (@markuskowa) nixos/slurm: 20.11.5.1 -> 20.11.6.1, improve security #121336
• nixos/modules/services/web-apps/restya-board.nix (@nek0) restya-board: drop #282971
• nixos/modules/services/web-apps/wordpress.nix (@jsamsa @mmilata) nixos/wordpress: prefer 'umask' over 'chmod' #290018
• nixos/modules/services/web-apps/jitsi-meet.nix (@mmilata @petabyteboy @ryantm) nixos/jitsi-meet: prefer 'serviceConfig' over 'chmod'/'chown' #325637
• nixos/modules/services/web-apps/mattermost.nix (@jslight90 @ryantm)
• nixos/modules/services/web-apps/bookstack.nix (bookstack: 0.31.7 -> 21.04.3 + nixos/bookstack: use umask before echoing & clear cache before starting #119325)
• nixos/modules/services/web-apps/engelsystem.nix (@kloenk)
• nixos/modules/services/web-apps/sogo.nix (@ajs124) nixos/sogo: prefer 'install' over 'chmod'/'chown' #325644
• nixos/modules/services/web-apps/keycloak.nix () nixos/keycloak: Security fixes + misc #121778
• nixos/modules/services/networking/xrdp.nix (@telotortium)
• nixos/modules/services/networking/firefox/sync-server.nix (@Nadrieril) f8b4cf0
• nixos/modules/services/networking/pptpd.nix (@obadz) pptpd: prefer 'install' over 'chmod/chown' #308085
• nixos/modules/services/networking/bee.nix (@attila-lendvai) nixos/bee: prefer 'install' over 'chmod' #325291
• nixos/modules/services/networking/nsd.nix (nixos/nsd: atomically create state directories with appropriate mode #121427) nixos/nsd: prefer 'install' over 'chmod' #299581
• nixos/modules/services/networking/wireguard.nix (wireguard module: generatePrivateKeyFile: Fix chmod security race #121294)
• nixos/modules/services/networking/supplicant.nix (nixos/wpa_supplicant: prefer 'install' over 'touch/chmod/mkdir/chgrp' #121395)
• nixos/modules/services/networking/ircd-hybrid/ircd.conf (@Scriptkiddi) (not a nix config)
• nixos/modules/services/networking/searx.nix (@rnhmjoj) searx: set settings.yml permissions using umask #121512
• nixos/modules/services/networking/yggdrasil.nix (@ehmry @gazally) nixos/yggdrasil: set directory permissions before writing keys #121968
• nixos/modules/services/networking/cjdns.nix (@mkg20001 @infinisil @elitak) nixos/cjdns: prefer 'install' over 'chmod' #300519
• nixos/modules/services/networking/xl2tpd.nix (@obadz) nixos/xl2tpd: prefer 'install' over 'chmod/chown' #302388
• nixos/modules/services/mail/mailman.nix (NixOS modules: chmod leaves opportunity to leak secrets #121293 (comment)) nixos/mailman: prefer 'install' over 'chmod/chown' #308092
• nixos/modules/services/mail/postsrsd.nix (@gkleen @abbradar) nixos/postsrsd: prefer 'install' over 'chmod/chown' #304340
• nixos/modules/services/cluster/kubernetes/pki.nix (@ymatsiuk @saschagrunert @anmonteiro) kubernetes: prefer 'install' over 'mkdir/chmod/chown' #286032
• nixos/modules/config/swap.nix (@nbraud @tokudan @roberth) nixos/swap: prefer 'umask' over 'chmod' #312516
• nixos/modules/security/acme.nix and nixos/modules/security/acme.xml (nixos/acme: Ensure certs are always protected #121750)
• nixos/modules/virtualisation/digital-ocean-config.nix (@eamsden) nixos/digital-ocean-config: prefer 'umask' over 'chmod' #308065
• nixos/modules/virtualisation/openstack-metadata-fetcher.nix (metadata fetchers: use umask instead of fetch-and-chmod #121449)
• nixos/modules/virtualisation/fetch-instance-ssh-keys.bash (@talyz) 524aecf
• nixos/modules/virtualisation/ec2-metadata-fetcher.nix (metadata fetchers: use umask instead of fetch-and-chmod #121449)
• nixos/modules/virtualisation/azure-image.nix (@colemickens @copumpkin) waagent: enable provisioning #266381
• nixos/modules/virtualisation/vagrant-guest.nix (@joseph-long) nixos/vagrant-guest: prefer 'install' over 'chmod' #302909
• nixos/modules/virtualisation/ec2-data.nix (@doshitan @edolstra) ec2-data: prefer 'install/umask' over 'chmod' #304362
• nixos/modules/virtualisation/brightbox-image.nix (@rbvermaa) nixos/brightbox-image: prefer 'umask' over 'chmod' #307461 brightboxImage: remove, as it seems unmaintained #339790

EDIT: wording, to make clear that I did not check whether this actually causes a problem in all of the above cases

[dotlambda]

I would say that mkdir followed by chmod is usually not problematic because no files will be created in between the two operations. However, it might be better style to use mkdir -m or install -dm.

[bjornfor]

However, it might be better style to use mkdir -m or install -dm.

I don't know about install, but I think mkdir -m will not set the permissions if the directory already exists (so configured vs actual permissions might diverge).

[dotlambda]

I don't know about install, but I think mkdir -m will not set the permissions if the directory already exists (so configured vs actual permissions might diverge).

Yes, if -p is used existing directories will not be changed. If it's not used, it will just cause an error.
install -dm will change the permissions of an existing directory though.

[cole-h]

Even though the actual ping never went through, I think you meant @colemickens for nixos/modules/virtualisation/azure-image.nix ;)

[dotlambda]

@cole-h Sorry, I didn't mean to relate your name to any FUD nonsense ;-)

[m1cr0man]

Wrt acme, lego will write with 0600 permissions, which means that only the acme user can initially read any of the secure files it outputs. The chmod/chgrp/chowns scattered throughout acme.nix are there to either open or correct permissions such that the configured group will be able to read the certs. The acme-fixperms service is there solely to fix insecure permissions that may have existed in past iterations of the module (on upgrading systems). The only possible leak I can see is through the selfsigned service, which applies a chmod 600 after minica is called. I will set the umask on the selfsigned cert generator service instead.

[nh2]

The chmod/chgrp/chowns scattered throughout acme.nix are there to either open or correct permissions such that the configured group will be able to read the certs

We should best annotate such safe uses with comments to make it clear.

[dotlambda]

I would say that mkdir followed by chmod is usually not problematic because no files will be created in between the two operations. However, it might be better style to use mkdir -m or install -dm.

@mohe2015 Can you elaborate on what your 👎 means?

[mohe2015]

I would say that mkdir followed by chmod is usually not problematic because no files will be created in between the two operations. However, it might be better style to use mkdir -m or install -dm.

I'm not sure but I could imagine that someone could write to the directory in the rare case that the default permissions allow that. I just thought it would be cleaner to go all the way if somebody puts in the effort. But if this is really impossible it shouldn't matter.

[rnhmjoj]

In searx it's not much of an issue: it only allows users of the searx group to read the secrets, but I will try to fix it anyway.

[picnoir]

FYI:

1. I'm not NSD's maintainer.
2. I did not write that code.
3. The state dir is mode 700.

I'll fix it nevertheless.

[alyssais]

I don't believe the mailman module is vulnerable, because it uses mktemp(1) to create its secret file

Files are created u+rw, and directories u+rwx, minus umask restrictions.

So the chmod should just have the effect of broadening the permissions to make it group readable. (It also does u-w, but that's meaningless since the owner is root.)

But I will do some testing today to verify that I am correct here.

Edit: I have confirmed this by commenting out the chmod/chown, and indeed the file starts being accessible only to root.

[Nadrieril]

The syncserver module is broken and due for removal (#74725), so I guess it doesn't matter

[picnoir]

The nsd fix is there: #121427

[endgame]

I've done the compute image metadata fetchers in #121449, but GH assigned no reviewers. Can someone here review for me?

[nixos-discourse]

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/how-should-one-report-small-vulnerabilities-in-individual-modules/17279/1

[nh2]

@ryantm Would your ryantm@b0088d4 be upstreamable for mattermost?

[nixos-discourse]

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/how-should-one-report-small-vulnerabilities-in-individual-modules/17279/2

[nbraud]

touch, cp, etc. followed by chmod leaves an opportunity to leak secrets as explained in #121288. install -m does the same, but in one command. Use umask instead.

Thank you so much for going through all the potentially-affected services <3

• nixos/modules/config/swap.nix (@nbraud @tokudan @roberth)

Did you mean to tag someone else? I did the PR for wpa_supplicant some time ago, but didn't poke swap.nix

P.S.: Speaking of which, #275312 (backporting the wpa_supplicant fix) is needing a review ;3