nixos/wpa_supplicant: Ensure the generated config isn't world-readable
Otherwise, `environmentFile` cannot be used to pass secrets in.
This commit is contained in:
parent
6ac78f1174
commit
a351c9b530
2 changed files with 12 additions and 0 deletions
|
@ -1313,6 +1313,14 @@ Make sure to also check the many updates in the [Nixpkgs library](#sec-release-2
|
|||
- When using [split parity files](https://www.snapraid.it/manual#7.1) in `snapraid`,
|
||||
the snapraid-sync systemd service will no longer fail to run.
|
||||
|
||||
- `wpa_supplicant`'s configuration file cannot be read by non-root users, and
|
||||
secrets (such as Pre-Shared Keys) can safely be passed via
|
||||
`networking.wireless.environmentFile`.
|
||||
|
||||
The configuration file could previously be read, when `userControlled.enable` (non-default),
|
||||
by users who are in both `wheel` and `userControlled.group` (defaults to `wheel`)
|
||||
|
||||
|
||||
## Nixpkgs Library {#sec-release-23.11-nixpkgs-lib}
|
||||
|
||||
### Breaking Changes {#sec-release-23.11-lib-breaking}
|
||||
|
|
|
@ -107,6 +107,10 @@ let
|
|||
stopIfChanged = false;
|
||||
|
||||
path = [ package ];
|
||||
# if `userControl.enable`, the supplicant automatically changes the permissions
|
||||
# and owning group of the runtime dir; setting `umask` ensures the generated
|
||||
# config file isn't readable (except to root); see nixpkgs#267693
|
||||
serviceConfig.UMask = "066";
|
||||
serviceConfig.RuntimeDirectory = "wpa_supplicant";
|
||||
serviceConfig.RuntimeDirectoryMode = "700";
|
||||
serviceConfig.EnvironmentFile = mkIf (cfg.environmentFile != null)
|
||||
|
|
Loading…
Reference in a new issue