diff options
author | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2015-01-15 18:36:38 +0100 |
---|---|---|
committer | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2015-01-15 18:37:55 +0100 |
commit | efa8fc2b0a5e94fd22e26c31c82b643d2352e92a (patch) | |
tree | 60b227c2470b03cdcc2f12e826d4a9cd39b0bef9 /nixos | |
parent | b9c4569b6b4c7fc3eb96b55cbf4043f2ba35a901 (diff) | |
download | nixlib-efa8fc2b0a5e94fd22e26c31c82b643d2352e92a.tar nixlib-efa8fc2b0a5e94fd22e26c31c82b643d2352e92a.tar.gz nixlib-efa8fc2b0a5e94fd22e26c31c82b643d2352e92a.tar.bz2 nixlib-efa8fc2b0a5e94fd22e26c31c82b643d2352e92a.tar.lz nixlib-efa8fc2b0a5e94fd22e26c31c82b643d2352e92a.tar.xz nixlib-efa8fc2b0a5e94fd22e26c31c82b643d2352e92a.tar.zst nixlib-efa8fc2b0a5e94fd22e26c31c82b643d2352e92a.zip |
Paranoia
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/system/boot/stage-2-init.sh | 1 | ||||
-rw-r--r-- | nixos/modules/virtualisation/ec2-data.nix | 2 | ||||
-rw-r--r-- | nixos/modules/virtualisation/google-compute-image.nix | 2 | ||||
-rw-r--r-- | nixos/tests/installer.nix | 3 |
4 files changed, 6 insertions, 2 deletions
diff --git a/nixos/modules/system/boot/stage-2-init.sh b/nixos/modules/system/boot/stage-2-init.sh index 3762bda94a5c..356a440b17ac 100644 --- a/nixos/modules/system/boot/stage-2-init.sh +++ b/nixos/modules/system/boot/stage-2-init.sh @@ -91,6 +91,7 @@ mkdir -m 01777 -p /tmp mkdir -m 0755 -p /var /var/log /var/lib /var/db mkdir -m 0755 -p /nix/var mkdir -m 0700 -p /root +chmod 0700 /root mkdir -m 0755 -p /bin # for the /bin/sh symlink mkdir -m 0755 -p /home mkdir -m 0755 -p /etc/nixos diff --git a/nixos/modules/virtualisation/ec2-data.nix b/nixos/modules/virtualisation/ec2-data.nix index 93a83a3e42af..15114b1e76ac 100644 --- a/nixos/modules/virtualisation/ec2-data.nix +++ b/nixos/modules/virtualisation/ec2-data.nix @@ -44,7 +44,7 @@ with lib; # into the image (a Nova feature). if ! [ -e /root/.ssh/authorized_keys ]; then echo "obtaining SSH key..." - mkdir -p /root/.ssh + mkdir -m 0700 -p /root/.ssh $wget http://169.254.169.254/1.0/meta-data/public-keys/0/openssh-key > /root/key.pub if [ $? -eq 0 -a -e /root/key.pub ]; then if ! grep -q -f /root/key.pub /root/.ssh/authorized_keys; then diff --git a/nixos/modules/virtualisation/google-compute-image.nix b/nixos/modules/virtualisation/google-compute-image.nix index 41c7dd62f3ed..4d493b3896f2 100644 --- a/nixos/modules/virtualisation/google-compute-image.nix +++ b/nixos/modules/virtualisation/google-compute-image.nix @@ -139,7 +139,7 @@ in # Don't download the SSH key if it has already been downloaded if ! [ -e /root/.ssh/authorized_keys ]; then echo "obtaining SSH key..." - mkdir -p /root/.ssh + mkdir -m 0700 -p /root/.ssh ${wget} -O /root/authorized-keys-metadata http://metadata/0.1/meta-data/authorized-keys if [ $? -eq 0 -a -e /root/authorized-keys-metadata ]; then cat /root/authorized-keys-metadata | cut -d: -f2- > /root/key.pub diff --git a/nixos/tests/installer.nix b/nixos/tests/installer.nix index 641ff924e14e..af9e6365a9fe 100644 --- a/nixos/tests/installer.nix +++ b/nixos/tests/installer.nix @@ -190,6 +190,9 @@ let $machine->succeed("test -e /boot/grub"); + # Check whether /root has correct permissions. + $machine->succeed("stat -c '%a' /root") =~ /700/ or die; + # Did the swap device get activated? # uncomment once https://bugs.freedesktop.org/show_bug.cgi?id=86930 is resolved #$machine->waitForUnit("swap.target"); |