nixos/wpa_supplicant: Ensure the generated config isn't world-readable

Otherwise, `environmentFile` cannot be used to pass secrets in.
This commit is contained in:
nicoo 2023-11-15 15:48:56 +00:00
parent 6ac78f1174
commit a351c9b530
2 changed files with 12 additions and 0 deletions

View file

@ -1313,6 +1313,14 @@ Make sure to also check the many updates in the [Nixpkgs library](#sec-release-2
- When using [split parity files](https://www.snapraid.it/manual#7.1) in `snapraid`,
the snapraid-sync systemd service will no longer fail to run.
- `wpa_supplicant`'s configuration file cannot be read by non-root users, and
secrets (such as Pre-Shared Keys) can safely be passed via
`networking.wireless.environmentFile`.
The configuration file could previously be read, when `userControlled.enable` (non-default),
by users who are in both `wheel` and `userControlled.group` (defaults to `wheel`)
## Nixpkgs Library {#sec-release-23.11-nixpkgs-lib}
### Breaking Changes {#sec-release-23.11-lib-breaking}

View file

@ -107,6 +107,10 @@ let
stopIfChanged = false;
path = [ package ];
# if `userControl.enable`, the supplicant automatically changes the permissions
# and owning group of the runtime dir; setting `umask` ensures the generated
# config file isn't readable (except to root); see nixpkgs#267693
serviceConfig.UMask = "066";
serviceConfig.RuntimeDirectory = "wpa_supplicant";
serviceConfig.RuntimeDirectoryMode = "700";
serviceConfig.EnvironmentFile = mkIf (cfg.environmentFile != null)