b12f/nixpkgs
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

nixos/ddclient: don't leak password in process listings

Browse source 
...by using `replace-secret` instead of `sed` when injecting the
password into the ddclient config file. (Verified with `execsnoop`.)

Ref https://github.com/NixOS/nixpkgs/issues/156400.
This commit is contained in:
Bjørn Forsman 2022-07-12 09:03:29 +02:00
parent 85deee6d6c
commit e0f2f7f9ea
1 changed files with 3 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
nixos/modules/services/networking/ddclient.nix
View file

@ -13,7 +13,7 @@ let
foreground=YES
use=${cfg.use}
login=${cfg.username}
password=${lib.optionalString (cfg.protocol == "nsupdate") "/run/${RuntimeDirectory}/ddclient.key"}
password=${if cfg.protocol == "nsupdate" then "/run/${RuntimeDirectory}/ddclient.key" else "@password_placeholder@"}
protocol=${cfg.protocol}
${lib.optionalString (cfg.script != "") "script=${cfg.script}"}
${lib.optionalString (cfg.server != "") "server=${cfg.server}"}
@ -33,10 +33,9 @@ let
${lib.optionalString (cfg.configFile == null) (if (cfg.protocol == "nsupdate") then ''
install ${cfg.passwordFile} /run/${RuntimeDirectory}/ddclient.key
'' else if (cfg.passwordFile != null) then ''
password=$(printf "%q" "$(head -n 1 "${cfg.passwordFile}")")
sed -i "s|^password=$|password=$password|" /run/${RuntimeDirectory}/ddclient.conf
"${pkgs.replace-secret}/bin/replace-secret" "@password_placeholder@" "${cfg.passwordFile}" "/run/${RuntimeDirectory}/ddclient.conf"
'' else ''
sed -i '/^password=$/d' /run/${RuntimeDirectory}/ddclient.conf
sed -i '/^password=@password_placeholder@$/d' /run/${RuntimeDirectory}/ddclient.conf
'')}
'';