diff options
author | emilylange <git@emilylange.de> | 2024-03-09 18:19:51 +0100 |
---|---|---|
committer | Bjørn Forsman <bjorn.forsman@gmail.com> | 2024-03-11 17:34:29 +0100 |
commit | 61a651e36286e1667afa73367465b09edcff6add (patch) | |
tree | 921abc6e85c52a80a0fefbea1bc17b203013ec61 /nixos/modules/services/databases | |
parent | bc3604ee35c8a7be4e219174411d1418d3787804 (diff) | |
download | nixlib-61a651e36286e1667afa73367465b09edcff6add.tar nixlib-61a651e36286e1667afa73367465b09edcff6add.tar.gz nixlib-61a651e36286e1667afa73367465b09edcff6add.tar.bz2 nixlib-61a651e36286e1667afa73367465b09edcff6add.tar.lz nixlib-61a651e36286e1667afa73367465b09edcff6add.tar.xz nixlib-61a651e36286e1667afa73367465b09edcff6add.tar.zst nixlib-61a651e36286e1667afa73367465b09edcff6add.zip |
nixos/lldap: bootstrap `jwt_secret` if not provided
If not provided, lldap defaults to `secretjwtsecret` as value which is hardcoded in the code base. See https://github.com/lldap/lldap/blob/v0.5.0/server/src/infra/configuration.rs#L76-L77 This is really bad, because it is trivially easy to generate an admin access token/cookie as attacker, if a `jwt_secret` is known.
Diffstat (limited to 'nixos/modules/services/databases')
-rw-r--r-- | nixos/modules/services/databases/lldap.nix | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/nixos/modules/services/databases/lldap.nix b/nixos/modules/services/databases/lldap.nix index e821da8e58aa..68374425449f 100644 --- a/nixos/modules/services/databases/lldap.nix +++ b/nixos/modules/services/databases/lldap.nix @@ -107,8 +107,21 @@ in wants = [ "network-online.target" ]; after = [ "network-online.target" ]; wantedBy = [ "multi-user.target" ]; + # lldap defaults to a hardcoded `jwt_secret` value if none is provided, which is bad, because + # an attacker could create a valid admin jwt access token fairly trivially. + # Because there are 3 different ways `jwt_secret` can be provided, we check if any one of them is present, + # and if not, bootstrap a secret in `/var/lib/lldap/jwt_secret_file` and give that to lldap. + script = lib.optionalString (!cfg.settings ? jwt_secret) '' + if [[ -z "$LLDAP_JWT_SECRET_FILE" ]] && [[ -z "$LLDAP_JWT_SECRET" ]]; then + if [[ ! -e "./jwt_secret_file" ]]; then + ${lib.getExe pkgs.openssl} rand -base64 -out ./jwt_secret_file 32 + fi + export LLDAP_JWT_SECRET_FILE="./jwt_secret_file" + fi + '' + '' + ${lib.getExe cfg.package} run --config-file ${format.generate "lldap_config.toml" cfg.settings} + ''; serviceConfig = { - ExecStart = "${lib.getExe cfg.package} run --config-file ${format.generate "lldap_config.toml" cfg.settings}"; StateDirectory = "lldap"; WorkingDirectory = "%S/lldap"; User = "lldap"; |