Default cacheDir causing some minor problems when rekeying · Issue #9 · oddlama/agenix-rekey · GitHub
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Default cacheDir causing some minor problems when rekeying #9

Closed
Freakmiko opened this issue Sep 30, 2023 · 3 comments
Closed

Default cacheDir causing some minor problems when rekeying #9

Freakmiko opened this issue Sep 30, 2023 · 3 comments

Comments

@Freakmiko
Copy link

Something that tripped me up for a bit after updating my flake was the new cacheDir.
This new cacheDir is currently defined as default = "/tmp/agenix-rekey.\"$UID\"";.

This creates new directories for each user running rekey (as far as I understand). However, if you don't add the users explicitly to trusted-users and simply follow the readme and add nix.settings.extra-sandbox-paths = ["/tmp/agenix-rekey"]; to the configuration, rekeying will always fail.

My suggestion would be to change the default cacheDir to default = "/tmp/agenix-rekey/\"$UID\"";. This would create the uid-directories under the agenix-rekey cacheDir and make setting the extra-sandbox-paths easier.
@oddlama
Copy link
Owner

oddlama commented Sep 30, 2023

Thanks for bringing this up, that's a very good point.. The issue is that the parent directory needs to have the sticky bit set (chmod 1777) so that only the owner of a directory may delete it. That is the case for /tmp but not for /tmp/agenix-rekey which would be created by the first user running rekey. Missing the sticky bit would then compromise integrity for other users running rekey since that first user might just replace rekeyed secrets by simply deleting the uid folder for another user and replacing the content with something else.

The only possible solutions I can see are:

  • Manually adding nix.settings.extra-sandbox-paths = ["/tmp/agenix-rekey-<UID>"]; for each user that needs to be able to rekey
  • Be less strict in the sandbox and add nix.settings.extra-sandbox-paths = ["/tmp"]; (not very elegant)
  • Add a different persistent cache folder for agenix-rekey somewhere else (/var/cache/agenix-rekey, with mode 1777), then set cacheDir = "/var/cache/agenix-rekey/\"$UID\"" and add nix.settings.extra-sandbox-paths = ["/var/cache/agenix-rekey"];.

The third solution is basically what you are proposing and what I've done in my own config, but it requires creating a directory with 1777. So the downside is that you have to manually do that or write an activation script that does it. Alternatively, if you are using impermanence you can do the following:

age.rekey.cacheDir = "/var/tmp/agenix-rekey/\"$UID\"";
environment.persistence."/state".directories = [
  { directory = "/var/tmp/agenix-rekey"; mode = "1777"; }
];

I've corrected the example in the readme and linked here for future readers. If you have any other suggestions on making this more accessible let me know!

@Freakmiko
Copy link
Author

Freakmiko commented Sep 30, 2023
edited
Loading

Thank you for the answer, I was fully expecting this just to be a stupid mistake of mine somewhere in my config (due to my inexperience with nix and linux as a whole).
Something that I've just tried and currently works on my machine:tm: is the following:
Setting
nix.settings.extra-sandbox-paths = [ "/var/tmp/agenix-rekey" ]
age.rekey.cacheDir = "/var/tmp/agenix-rekey/\"$UID\"";

systemd.tmpfiles.rules = [
  "d /var/tmp/agenix-rekey 1777 root root"
];

So that might be another solution depending on the setup :)

@plaidfinch
Copy link

plaidfinch commented May 6, 2024
edited
Loading

@Freakmiko I can confirm that your solution does the trick for me as well! Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@plaidfinch @Freakmiko @oddlama