diff options
author | Linus Heckemann <git@sphalerite.org> | 2023-12-14 15:09:22 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-12-14 15:09:22 +0100 |
commit | ed25c9936e700365964046d5819510164c5c71b4 (patch) | |
tree | 6849e6966b4015cb81325032affd21e516137d41 /nixos/modules | |
parent | 784545bfd7532d64a7bfd421957106b1beaa05af (diff) | |
parent | a351c9b530bd7bd385c4f0e89606e09f46f50829 (diff) | |
download | nixlib-ed25c9936e700365964046d5819510164c5c71b4.tar nixlib-ed25c9936e700365964046d5819510164c5c71b4.tar.gz nixlib-ed25c9936e700365964046d5819510164c5c71b4.tar.bz2 nixlib-ed25c9936e700365964046d5819510164c5c71b4.tar.lz nixlib-ed25c9936e700365964046d5819510164c5c71b4.tar.xz nixlib-ed25c9936e700365964046d5819510164c5c71b4.tar.zst nixlib-ed25c9936e700365964046d5819510164c5c71b4.zip |
Merge pull request #267693 from nbraud/nixos/wpa_supplicant/umask
nixos/wpa_supplicant: Ensure the generated config isn't world-readable
Diffstat (limited to 'nixos/modules')
-rw-r--r-- | nixos/modules/services/networking/wpa_supplicant.nix | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/nixos/modules/services/networking/wpa_supplicant.nix b/nixos/modules/services/networking/wpa_supplicant.nix index 90d9c68433cf..4586550ed75e 100644 --- a/nixos/modules/services/networking/wpa_supplicant.nix +++ b/nixos/modules/services/networking/wpa_supplicant.nix @@ -107,6 +107,10 @@ let stopIfChanged = false; path = [ package ]; + # if `userControl.enable`, the supplicant automatically changes the permissions + # and owning group of the runtime dir; setting `umask` ensures the generated + # config file isn't readable (except to root); see nixpkgs#267693 + serviceConfig.UMask = "066"; serviceConfig.RuntimeDirectory = "wpa_supplicant"; serviceConfig.RuntimeDirectoryMode = "700"; serviceConfig.EnvironmentFile = mkIf (cfg.environmentFile != null) |