Merge pull request #267693 from nbraud/nixos/wpa_supplicant/umask

nixos/wpa_supplicant: Ensure the generated config isn't world-readable
This commit is contained in:
Linus Heckemann 2023-12-14 15:09:22 +01:00 committed by GitHub
commit ed25c9936e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 12 additions and 0 deletions

View file

@ -1313,6 +1313,14 @@ Make sure to also check the many updates in the [Nixpkgs library](#sec-release-2
- When using [split parity files](https://www.snapraid.it/manual#7.1) in `snapraid`,
the snapraid-sync systemd service will no longer fail to run.
- `wpa_supplicant`'s configuration file cannot be read by non-root users, and
secrets (such as Pre-Shared Keys) can safely be passed via
`networking.wireless.environmentFile`.
The configuration file could previously be read, when `userControlled.enable` (non-default),
by users who are in both `wheel` and `userControlled.group` (defaults to `wheel`)
## Nixpkgs Library {#sec-release-23.11-nixpkgs-lib}
### Breaking Changes {#sec-release-23.11-lib-breaking}

View file

@ -107,6 +107,10 @@ let
stopIfChanged = false;
path = [ package ];
# if `userControl.enable`, the supplicant automatically changes the permissions
# and owning group of the runtime dir; setting `umask` ensures the generated
# config file isn't readable (except to root); see nixpkgs#267693
serviceConfig.UMask = "066";
serviceConfig.RuntimeDirectory = "wpa_supplicant";
serviceConfig.RuntimeDirectoryMode = "700";
serviceConfig.EnvironmentFile = mkIf (cfg.environmentFile != null)