Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nixos/gitea: set umask for secret creation #121299

Merged
merged 1 commit into from
May 1, 2021
Merged

nixos/gitea: set umask for secret creation #121299

merged 1 commit into from
May 1, 2021

Conversation

Ma27
Copy link
Member

@Ma27 Ma27 commented Apr 30, 2021

Motivation for this change

This ensures that newly created secrets will have the permissions
0640. With this change it's ensured that no sensitive information will
be word-readable at any time.

Related to #121293.

Strictly speaking this is a breaking change since each new directory
(including data-files) aren't world-readable anymore, but actually these
shouldn't be, unless there's a good reason for it.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@Ma27
Copy link
Member Author

Ma27 commented Apr 30, 2021

@ofborg test gitea

@github-actions github-actions bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` labels Apr 30, 2021
@Ma27 Ma27 mentioned this pull request Apr 30, 2021
Open
42 tasks
dotlambda
dotlambda reviewed Apr 30, 2021
View reviewed changes
nixos/modules/services/misc/gitea.nix Outdated
@@ -477,6 +477,7 @@ in
in ''
# copy custom configuration and generate a random secret key if needed
${optionalString (cfg.useWizard == false) ''
umask 027
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You don't want to run this in a sub-shell?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AFAIU the only file creation operations only happen within this block, so unless I'm missing something right now, this shouldn't be needed.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That will cause problems though if another file creation has to be added at a later point.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dotlambda updated.

@ofborg ofborg bot added 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux labels Apr 30, 2021
@Ma27
nixos/gitea: set umask for secret creation
02c3bd2 
This ensures that newly created secrets will have the permissions
`0640`. With this change it's ensured that no sensitive information will
be word-readable at any time.

Related to NixOS#121293.

Strictly speaking this is a breaking change since each new directory
(including data-files) aren't world-readable anymore, but actually these
shouldn't be, unless there's a good reason for it.
dotlambda
dotlambda reviewed Apr 30, 2021
View reviewed changes
nixos/modules/services/misc/gitea.nix

# Migrate LFS_JWT_SECRET filename
if [[ -e ${oldLfsJwtSecret} && ! -e ${lfsJwtSecret} ]]; then
mv ${oldLfsJwtSecret} ${lfsJwtSecret}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will preserve permissions but I guess that's fine.

@Ma27 Ma27 merged commit 040f0ac into NixOS:master May 1, 2021
@Ma27 Ma27 deleted the gitea-umask branch May 1, 2021 22:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dotlambda dotlambda dotlambda approved these changes

@srhb srhb Awaiting requested review from srhb

@aanderse aanderse Awaiting requested review from aanderse

Assignees
No one assigned
Labels
6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Ma27 @dotlambda