diff options
| author | nicoo <nicoo@mur.at> | 2023-11-15 15:48:56 +0000 |
|---|---|---|
| committer | nicoo <nicoo@mur.at> | 2023-12-09 21:33:55 +0000 |
| commit | a351c9b530bd7bd385c4f0e89606e09f46f50829 (patch) | |
| tree | e2936275ab7bf2b2320804dedb66a4c1ea9fe7d1 /nixos/modules | |
| parent | 6ac78f1174be76d961c393d0d1b61967243cf010 (diff) | |
| download | nixlib-a351c9b530bd7bd385c4f0e89606e09f46f50829.tar nixlib-a351c9b530bd7bd385c4f0e89606e09f46f50829.tar.gz nixlib-a351c9b530bd7bd385c4f0e89606e09f46f50829.tar.bz2 nixlib-a351c9b530bd7bd385c4f0e89606e09f46f50829.tar.lz nixlib-a351c9b530bd7bd385c4f0e89606e09f46f50829.tar.xz nixlib-a351c9b530bd7bd385c4f0e89606e09f46f50829.tar.zst nixlib-a351c9b530bd7bd385c4f0e89606e09f46f50829.zip | |
nixos/wpa_supplicant: Ensure the generated config isn't world-readable
Otherwise, `environmentFile` cannot be used to pass secrets in.
Diffstat (limited to 'nixos/modules')
| -rw-r--r-- | nixos/modules/services/networking/wpa_supplicant.nix | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/nixos/modules/services/networking/wpa_supplicant.nix b/nixos/modules/services/networking/wpa_supplicant.nix index 90d9c68433cf..4586550ed75e 100644 --- a/nixos/modules/services/networking/wpa_supplicant.nix +++ b/nixos/modules/services/networking/wpa_supplicant.nix @@ -107,6 +107,10 @@ let stopIfChanged = false; path = [ package ]; + # if `userControl.enable`, the supplicant automatically changes the permissions + # and owning group of the runtime dir; setting `umask` ensures the generated + # config file isn't readable (except to root); see nixpkgs#267693 + serviceConfig.UMask = "066"; serviceConfig.RuntimeDirectory = "wpa_supplicant"; serviceConfig.RuntimeDirectoryMode = "700"; serviceConfig.EnvironmentFile = mkIf (cfg.environmentFile != null) |