Giter VIP home page Giter VIP logo

Comments (3)

Freakmiko avatar Freakmiko commented on June 16, 2024 1

Thank you for the answer, I was fully expecting this just to be a stupid mistake of mine somewhere in my config (due to my inexperience with nix and linux as a whole).
Something that I've just tried and currently works on my machine:tm: is the following:
Setting
nix.settings.extra-sandbox-paths = [ "/var/tmp/agenix-rekey" ]
age.rekey.cacheDir = "/var/tmp/agenix-rekey/\"$UID\"";

systemd.tmpfiles.rules = [
  "d /var/tmp/agenix-rekey 1777 root root"
];

So that might be another solution depending on the setup :)

from agenix-rekey.

oddlama avatar oddlama commented on June 16, 2024

Thanks for bringing this up, that's a very good point.. The issue is that the parent directory needs to have the sticky bit set (chmod 1777) so that only the owner of a directory may delete it. That is the case for /tmp but not for /tmp/agenix-rekey which would be created by the first user running rekey. Missing the sticky bit would then compromise integrity for other users running rekey since that first user might just replace rekeyed secrets by simply deleting the uid folder for another user and replacing the content with something else.

The only possible solutions I can see are:

  • Manually adding nix.settings.extra-sandbox-paths = ["/tmp/agenix-rekey-<UID>"]; for each user that needs to be able to rekey
  • Be less strict in the sandbox and add nix.settings.extra-sandbox-paths = ["/tmp"]; (not very elegant)
  • Add a different persistent cache folder for agenix-rekey somewhere else (/var/cache/agenix-rekey, with mode 1777), then set cacheDir = "/var/cache/agenix-rekey/\"$UID\"" and add nix.settings.extra-sandbox-paths = ["/var/cache/agenix-rekey"];.

The third solution is basically what you are proposing and what I've done in my own config, but it requires creating a directory with 1777. So the downside is that you have to manually do that or write an activation script that does it. Alternatively, if you are using impermanence you can do the following:

age.rekey.cacheDir = "/var/tmp/agenix-rekey/\"$UID\"";
environment.persistence."/state".directories = [
  { directory = "/var/tmp/agenix-rekey"; mode = "1777"; }
];

I've corrected the example in the readme and linked here for future readers. If you have any other suggestions on making this more accessible let me know!

from agenix-rekey.

Related Issues (14)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.