diff options
author | Maciej Krüger <mkg20001@gmail.com> | 2024-01-04 12:22:38 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-01-04 12:22:38 +0100 |
commit | bf419d50d2c62dd4c96194e8a2bd39e588d354a4 (patch) | |
tree | 3853fe84d337cd8b2d8cd3d12eee84f62e17dd6c /nixos | |
parent | 53c1e67df5a23fd62761134ca1d0a48dbaa1deff (diff) | |
parent | 081ec8a6363c1d2ac8dd8ad27e130feb50547629 (diff) |
Merge pull request #275312 from nbraud/nixos/wpa_supplicant/backport
nixos/wpa_supplicant: Ensure the generated config isn't world-readable
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/doc/manual/release-notes/rl-2311.section.md | 8 | ||||
-rw-r--r-- | nixos/modules/services/networking/wpa_supplicant.nix | 4 |
2 files changed, 12 insertions, 0 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2311.section.md b/nixos/doc/manual/release-notes/rl-2311.section.md index 4992e2b8af45b..24d7531d3c9d4 100644 --- a/nixos/doc/manual/release-notes/rl-2311.section.md +++ b/nixos/doc/manual/release-notes/rl-2311.section.md @@ -1292,6 +1292,14 @@ Make sure to also check the many updates in the [Nixpkgs library](#sec-release-2 qemu-vm module from overriding `fileSystems` by setting `virtualisation.fileSystems = lib.mkForce { };`. +- `wpa_supplicant`'s configuration file cannot be read by non-root users, and + secrets (such as Pre-Shared Keys) can safely be passed via + `networking.wireless.environmentFile`. + + The configuration file could previously be read, when `userControlled.enable` (non-default), + by users who are in both `wheel` and `userControlled.group` (defaults to `wheel`) + + ## Nixpkgs Library {#sec-release-23.11-nixpkgs-lib} ### Breaking Changes {#sec-release-23.11-lib-breaking} diff --git a/nixos/modules/services/networking/wpa_supplicant.nix b/nixos/modules/services/networking/wpa_supplicant.nix index 90d9c68433cf4..4586550ed75e7 100644 --- a/nixos/modules/services/networking/wpa_supplicant.nix +++ b/nixos/modules/services/networking/wpa_supplicant.nix @@ -107,6 +107,10 @@ let stopIfChanged = false; path = [ package ]; + # if `userControl.enable`, the supplicant automatically changes the permissions + # and owning group of the runtime dir; setting `umask` ensures the generated + # config file isn't readable (except to root); see nixpkgs#267693 + serviceConfig.UMask = "066"; serviceConfig.RuntimeDirectory = "wpa_supplicant"; serviceConfig.RuntimeDirectoryMode = "700"; serviceConfig.EnvironmentFile = mkIf (cfg.environmentFile != null) |