treewide: Replace uses of replace-literal with replace-secret to avoid leaking secrets
#121708
Conversation
github-actions
bot
added
6.topic: nixos
| '/proc/<pid>/cmdline', unlike when 'sed' or 'replace' is used. | ||
|
|
||
| """ | ||
| with open(secret_filename) as sf, open(filename, 'r+') as f: |
There was a problem hiding this comment.
Should this set a umask or something?
There was a problem hiding this comment.
It does the replacement in-place, so the file's permissions are retained. I guess it could force the permissions to something restrictive, but this feels like a surprising behavior..
ofborg
bot
added
8.has: package (new)
talyz
added
the
1.severity: security
|
I can confirm that both mpd and mpdscribble launch fine with this change merged to |
|
LGTM |
| @@ -713,11 +710,12 @@ in | |||
| cfg.siteSettings | |||
| "/run/discourse/config/nixos_site_settings.json" | |||
| } | |||
| install -T -m 0400 -o discourse ${discourseConf} /run/discourse/config/discourse.conf | |||
| install -T -m 0600 -o discourse ${discourseConf} /run/discourse/config/discourse.conf | |||
There was a problem hiding this comment.
Is this change related?
There was a problem hiding this comment.
Yes, this is required for it to be able to write to the file. replace-literal ignores permissions (or maybe the -f flag also has that effect), but replace-secret doesn't.
| ${mkSecretReplacement cfg.database.passwordFile} | ||
| ${mkSecretReplacement cfg.mail.outgoing.passwordFile} | ||
| ${mkSecretReplacement cfg.redis.passwordFile} | ||
| ${mkSecretReplacement cfg.secretKeyBaseFile} | ||
| chmod 0400 /run/discourse/config/discourse.conf |
There was a problem hiding this comment.
This change too perhaps is worth merging, but should at least come in a separate commit.
There was a problem hiding this comment.
This makes sure the file has the same permissions as before the commit, but sets it after inserting the secrets.
| @@ -0,0 +1,22 @@ | |||
| { stdenv, lib, python3 }: | |||
There was a problem hiding this comment.
Perhaps add a check phase here that does some trivial usage of the command so we can be sure it still works without having to run nixos tests.
There was a problem hiding this comment.
Yeah, that's a good idea. I added two simple checks. If the diff looks okay to you, I'll squash it.
Add a small utility script which securely replaces secrets in files. Doing this with `sed`, `replace-literal` or similar utilities leaks the secrets through the spawned process' `/proc/<pid>/cmdline` file.
Using `replace-literal` to insert secrets leaks the secrets through the `replace-literal` process' `/proc/<pid>/cmdline` file. `replace-secret` solves this by reading the secret straight from the file instead, which also simplifies the code a bit.
Using `replace-literal` to insert secrets leaks the secrets through the `replace-literal` process' `/proc/<pid>/cmdline` file. `replace-secret` solves this by reading the secret straight from the file instead, which also simplifies the code a bit.
Using `replace-literal` to insert secrets leaks the secrets through the `replace-literal` process' `/proc/<pid>/cmdline` file. `replace-secret` solves this by reading the secret straight from the file instead, which also simplifies the code a bit.
Using `replace-literal` to insert secrets leaks the secrets through the `replace-literal` process' `/proc/<pid>/cmdline` file. `replace-secret` solves this by reading the secret straight from the file instead.
Using `replace-literal` to insert secrets leaks the secrets through the `replace-literal` process' `/proc/<pid>/cmdline` file. `replace-secret` solves this by reading the secret straight from the file instead, which also simplifies the code a bit.
Motivation for this change
Using
replace-literal(or similar) to insert secrets leaks the secrets through thereplace-literalprocess'/proc/<pid>/cmdlinefile. This introduces a tinyreplace-secretutility which solves this by reading the secret straight from the file instead, which also usually simplifies the code a bit, since we're always reading the secret from a file anyway.I've focused on replacing uses of
replace-literalhere, since they translate very easily, butsedusage and other similar ones should also be replaced in the future.The
mpdandmpdscribblechanges have not been tested with real credentials, so help from someone who uses them would be appreciated.Things done
sandboxinnix.confon non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"./result/bin/)nix path-info -Sbefore and after)