nixos/ddclient: don't leak password in process listings
...by using `replace-secret` instead of `sed` when injecting the password into the ddclient config file. (Verified with `execsnoop`.) Ref https://github.com/NixOS/nixpkgs/issues/156400.
This commit is contained in:
parent
85deee6d6c
commit
e0f2f7f9ea
1 changed files with 3 additions and 4 deletions
|
@ -13,7 +13,7 @@ let
|
||||||
foreground=YES
|
foreground=YES
|
||||||
use=${cfg.use}
|
use=${cfg.use}
|
||||||
login=${cfg.username}
|
login=${cfg.username}
|
||||||
password=${lib.optionalString (cfg.protocol == "nsupdate") "/run/${RuntimeDirectory}/ddclient.key"}
|
password=${if cfg.protocol == "nsupdate" then "/run/${RuntimeDirectory}/ddclient.key" else "@password_placeholder@"}
|
||||||
protocol=${cfg.protocol}
|
protocol=${cfg.protocol}
|
||||||
${lib.optionalString (cfg.script != "") "script=${cfg.script}"}
|
${lib.optionalString (cfg.script != "") "script=${cfg.script}"}
|
||||||
${lib.optionalString (cfg.server != "") "server=${cfg.server}"}
|
${lib.optionalString (cfg.server != "") "server=${cfg.server}"}
|
||||||
|
@ -33,10 +33,9 @@ let
|
||||||
${lib.optionalString (cfg.configFile == null) (if (cfg.protocol == "nsupdate") then ''
|
${lib.optionalString (cfg.configFile == null) (if (cfg.protocol == "nsupdate") then ''
|
||||||
install ${cfg.passwordFile} /run/${RuntimeDirectory}/ddclient.key
|
install ${cfg.passwordFile} /run/${RuntimeDirectory}/ddclient.key
|
||||||
'' else if (cfg.passwordFile != null) then ''
|
'' else if (cfg.passwordFile != null) then ''
|
||||||
password=$(printf "%q" "$(head -n 1 "${cfg.passwordFile}")")
|
"${pkgs.replace-secret}/bin/replace-secret" "@password_placeholder@" "${cfg.passwordFile}" "/run/${RuntimeDirectory}/ddclient.conf"
|
||||||
sed -i "s|^password=$|password=$password|" /run/${RuntimeDirectory}/ddclient.conf
|
|
||||||
'' else ''
|
'' else ''
|
||||||
sed -i '/^password=$/d' /run/${RuntimeDirectory}/ddclient.conf
|
sed -i '/^password=@password_placeholder@$/d' /run/${RuntimeDirectory}/ddclient.conf
|
||||||
'')}
|
'')}
|
||||||
'';
|
'';
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue