diff options
author | Shea Levy <shea@shealevy.com> | 2014-02-11 07:00:10 -0500 |
---|---|---|
committer | Shea Levy <shea@shealevy.com> | 2014-02-11 07:00:10 -0500 |
commit | 4ab5646417e3cc606281f71027c12ddced8b65b4 (patch) | |
tree | add9660ab03d4f30ef0c00872ef795bfa80b617b /nixos | |
parent | 8f64e74414e683767e5c603a57007de45c0b0501 (diff) | |
download | nixlib-4ab5646417e3cc606281f71027c12ddced8b65b4.tar nixlib-4ab5646417e3cc606281f71027c12ddced8b65b4.tar.gz nixlib-4ab5646417e3cc606281f71027c12ddced8b65b4.tar.bz2 nixlib-4ab5646417e3cc606281f71027c12ddced8b65b4.tar.lz nixlib-4ab5646417e3cc606281f71027c12ddced8b65b4.tar.xz nixlib-4ab5646417e3cc606281f71027c12ddced8b65b4.tar.zst nixlib-4ab5646417e3cc606281f71027c12ddced8b65b4.zip |
Add a keys group with read access to /run/keys
This allows processes running as unprivileged users access to keys they might need
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/misc/ids.nix | 1 | ||||
-rw-r--r-- | nixos/modules/system/boot/stage-2-init.sh | 3 | ||||
-rw-r--r-- | nixos/modules/system/boot/systemd.nix | 2 |
3 files changed, 5 insertions, 1 deletions
diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index 51da1a2cfce0..5f8111eb986b 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -201,6 +201,7 @@ openldap = 93; connman = 94; munin = 95; + keys = 96; # When adding a gid, make sure it doesn't match an existing uid. diff --git a/nixos/modules/system/boot/stage-2-init.sh b/nixos/modules/system/boot/stage-2-init.sh index e0ff258c0eec..b749172a3ff3 100644 --- a/nixos/modules/system/boot/stage-2-init.sh +++ b/nixos/modules/system/boot/stage-2-init.sh @@ -136,7 +136,8 @@ fi # elsehwere) if ! mountpoint -q /run/keys; then rm -rf /run/keys - mkdir -m 0700 /run/keys + mkdir -m 0750 /run/keys + chown root:keys /run/keys mount -t ramfs none /run/keys fi diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index b575deb24b7b..e0773c1fab42 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -645,6 +645,8 @@ in ''; # Target for ‘charon send-keys’ to hook into. + users.extraGroups.keys.gid = config.ids.gids.keys; + systemd.targets.keys = { description = "Security Keys"; }; |