summary refs log tree commit diff
path: root/nixos
diff options
context:
space:
mode:
authorEelco Dolstra <eelco.dolstra@logicblox.com>2015-01-15 18:36:38 +0100
committerEelco Dolstra <eelco.dolstra@logicblox.com>2015-01-15 18:37:55 +0100
commitefa8fc2b0a5e94fd22e26c31c82b643d2352e92a (patch)
tree60b227c2470b03cdcc2f12e826d4a9cd39b0bef9 /nixos
parentb9c4569b6b4c7fc3eb96b55cbf4043f2ba35a901 (diff)
downloadnixlib-efa8fc2b0a5e94fd22e26c31c82b643d2352e92a.tar
nixlib-efa8fc2b0a5e94fd22e26c31c82b643d2352e92a.tar.gz
nixlib-efa8fc2b0a5e94fd22e26c31c82b643d2352e92a.tar.bz2
nixlib-efa8fc2b0a5e94fd22e26c31c82b643d2352e92a.tar.lz
nixlib-efa8fc2b0a5e94fd22e26c31c82b643d2352e92a.tar.xz
nixlib-efa8fc2b0a5e94fd22e26c31c82b643d2352e92a.tar.zst
nixlib-efa8fc2b0a5e94fd22e26c31c82b643d2352e92a.zip
Paranoia
Diffstat (limited to 'nixos')
-rw-r--r--nixos/modules/system/boot/stage-2-init.sh1


-rw-r--r--nixos/modules/virtualisation/ec2-data.nix2


-rw-r--r--nixos/modules/virtualisation/google-compute-image.nix2


-rw-r--r--nixos/tests/installer.nix3


4 files changed, 6 insertions, 2 deletions
diff --git a/nixos/modules/system/boot/stage-2-init.sh b/nixos/modules/system/boot/stage-2-init.sh
index 3762bda94a5c..356a440b17ac 100644
--- a/nixos/modules/system/boot/stage-2-init.sh
+++ b/nixos/modules/system/boot/stage-2-init.sh
@@ -91,6 +91,7 @@ mkdir -m 01777 -p /tmp
 mkdir -m 0755 -p /var /var/log /var/lib /var/db
 mkdir -m 0755 -p /nix/var
 mkdir -m 0700 -p /root
+chmod 0700 /root
 mkdir -m 0755 -p /bin # for the /bin/sh symlink
 mkdir -m 0755 -p /home
 mkdir -m 0755 -p /etc/nixos
diff --git a/nixos/modules/virtualisation/ec2-data.nix b/nixos/modules/virtualisation/ec2-data.nix
index 93a83a3e42af..15114b1e76ac 100644
--- a/nixos/modules/virtualisation/ec2-data.nix
+++ b/nixos/modules/virtualisation/ec2-data.nix
@@ -44,7 +44,7 @@ with lib;
             # into the image (a Nova feature).
             if ! [ -e /root/.ssh/authorized_keys ]; then
                 echo "obtaining SSH key..."
-                mkdir -p /root/.ssh
+                mkdir -m 0700 -p /root/.ssh
                 $wget http://169.254.169.254/1.0/meta-data/public-keys/0/openssh-key > /root/key.pub
                 if [ $? -eq 0 -a -e /root/key.pub ]; then
                     if ! grep -q -f /root/key.pub /root/.ssh/authorized_keys; then
diff --git a/nixos/modules/virtualisation/google-compute-image.nix b/nixos/modules/virtualisation/google-compute-image.nix
index 41c7dd62f3ed..4d493b3896f2 100644
--- a/nixos/modules/virtualisation/google-compute-image.nix
+++ b/nixos/modules/virtualisation/google-compute-image.nix
@@ -139,7 +139,7 @@ in
           # Don't download the SSH key if it has already been downloaded
           if ! [ -e /root/.ssh/authorized_keys ]; then
                 echo "obtaining SSH key..."
-                mkdir -p /root/.ssh
+                mkdir -m 0700 -p /root/.ssh
                 ${wget} -O /root/authorized-keys-metadata http://metadata/0.1/meta-data/authorized-keys
                 if [ $? -eq 0 -a -e /root/authorized-keys-metadata ]; then
                     cat /root/authorized-keys-metadata | cut -d: -f2- > /root/key.pub
diff --git a/nixos/tests/installer.nix b/nixos/tests/installer.nix
index 641ff924e14e..af9e6365a9fe 100644
--- a/nixos/tests/installer.nix
+++ b/nixos/tests/installer.nix
@@ -190,6 +190,9 @@ let
 
       $machine->succeed("test -e /boot/grub");
 
+      # Check whether /root has correct permissions.
+      $machine->succeed("stat -c '%a' /root") =~ /700/ or die;
+
       # Did the swap device get activated?
       # uncomment once https://bugs.freedesktop.org/show_bug.cgi?id=86930 is resolved
       #$machine->waitForUnit("swap.target");

 

generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-07-29 11:40:03 +0000