diff options
author | Linus Heckemann <git@sphalerite.org> | 2023-12-14 15:09:22 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-12-14 15:09:22 +0100 |
commit | ed25c9936e700365964046d5819510164c5c71b4 (patch) | |
tree | 6849e6966b4015cb81325032affd21e516137d41 | |
parent | 784545bfd7532d64a7bfd421957106b1beaa05af (diff) | |
parent | a351c9b530bd7bd385c4f0e89606e09f46f50829 (diff) | |
download | nixlib-ed25c9936e700365964046d5819510164c5c71b4.tar nixlib-ed25c9936e700365964046d5819510164c5c71b4.tar.gz nixlib-ed25c9936e700365964046d5819510164c5c71b4.tar.bz2 nixlib-ed25c9936e700365964046d5819510164c5c71b4.tar.lz nixlib-ed25c9936e700365964046d5819510164c5c71b4.tar.xz nixlib-ed25c9936e700365964046d5819510164c5c71b4.tar.zst nixlib-ed25c9936e700365964046d5819510164c5c71b4.zip |
Merge pull request #267693 from nbraud/nixos/wpa_supplicant/umask
nixos/wpa_supplicant: Ensure the generated config isn't world-readable
-rw-r--r-- | nixos/doc/manual/release-notes/rl-2311.section.md | 8 | ||||
-rw-r--r-- | nixos/modules/services/networking/wpa_supplicant.nix | 4 |
2 files changed, 12 insertions, 0 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2311.section.md b/nixos/doc/manual/release-notes/rl-2311.section.md index 5c6bdf97d120..1aef1828908f 100644 --- a/nixos/doc/manual/release-notes/rl-2311.section.md +++ b/nixos/doc/manual/release-notes/rl-2311.section.md @@ -1313,6 +1313,14 @@ Make sure to also check the many updates in the [Nixpkgs library](#sec-release-2 - When using [split parity files](https://www.snapraid.it/manual#7.1) in `snapraid`, the snapraid-sync systemd service will no longer fail to run. +- `wpa_supplicant`'s configuration file cannot be read by non-root users, and + secrets (such as Pre-Shared Keys) can safely be passed via + `networking.wireless.environmentFile`. + + The configuration file could previously be read, when `userControlled.enable` (non-default), + by users who are in both `wheel` and `userControlled.group` (defaults to `wheel`) + + ## Nixpkgs Library {#sec-release-23.11-nixpkgs-lib} ### Breaking Changes {#sec-release-23.11-lib-breaking} diff --git a/nixos/modules/services/networking/wpa_supplicant.nix b/nixos/modules/services/networking/wpa_supplicant.nix index 90d9c68433cf..4586550ed75e 100644 --- a/nixos/modules/services/networking/wpa_supplicant.nix +++ b/nixos/modules/services/networking/wpa_supplicant.nix @@ -107,6 +107,10 @@ let stopIfChanged = false; path = [ package ]; + # if `userControl.enable`, the supplicant automatically changes the permissions + # and owning group of the runtime dir; setting `umask` ensures the generated + # config file isn't readable (except to root); see nixpkgs#267693 + serviceConfig.UMask = "066"; serviceConfig.RuntimeDirectory = "wpa_supplicant"; serviceConfig.RuntimeDirectoryMode = "700"; serviceConfig.EnvironmentFile = mkIf (cfg.environmentFile != null) |