nixos/yggdrasil: set directory permissions before writing keys

Remove the opportunity for someone to read the keys in between when they are written and when the chmod is done. Addresses #121293.
2021-05-06 17:14:03 -07:00 · 2021-05-06 17:14:03 -07:00 · 28f51d7757
parent 468cb5980b
commit 28f51d7757
1 changed files with 2 additions and 3 deletions
--- a/nixos/modules/services/networking/yggdrasil.nix
+++ b/nixos/modules/services/networking/yggdrasil.nix
@ -64,7 +64,7 @@ in {
        type = types.str;
        default = "root";
        example = "wheel";
-        description = "Group to grant acces to the Yggdrasil control socket.";
+        description = "Group to grant access to the Yggdrasil control socket.";
      };

      openMulticastPort = mkOption {
@ -122,12 +122,11 @@ in {
    system.activationScripts.yggdrasil = mkIf cfg.persistentKeys ''
      if [ ! -e ${keysPath} ]
      then
-        mkdir -p ${builtins.dirOf keysPath}
+        mkdir --mode=700 -p ${builtins.dirOf keysPath}
        ${binYggdrasil} -genconf -json \
          | ${pkgs.jq}/bin/jq \
              'to_entries|map(select(.key|endswith("Key")))|from_entries' \
          > ${keysPath}
-        chmod 600 ${keysPath}
      fi
    '';