Allow users in group "keys" to access /run/keys.

This makes it at least possible to access the keys directory if a particular service is in the keys group, which has been introduced by NixOS/nixpkgs@4ab5646. However, to let specific users access a particular key, you still need to work around it by adding an additional systemd service that sets the right permissions. But at least with this we should have some consistency with what is actually done in <nixpkgs>. Signed-off-by: aszlig <[email protected]>
aszlig · Jun 24, 2014 · 51cafce · 51cafce
1 parent 58cdd27
commit 51cafce
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 3 deletions.
diff --git a/nix/keys.nix b/nix/keys.nix
@@ -34,7 +34,8 @@ with pkgs.lib;
         Thus, <literal>{ password = "foobar"; }</literal> causes a
         file <filename>/run/keys/password</filename> to be created
         with contents <literal>foobar</literal>.  The directory
-        <filename>/run/keys</filename> is only accessible to root.
+        <filename>/run/keys</filename> is only accessible to root and
+        the <literal>keys</literal> group.
       '';
     };
 
@@ -47,7 +48,8 @@ with pkgs.lib;
 
     system.activationScripts.nixops-keys =
       ''
-        mkdir -p /run/keys -m 0700
+        mkdir -p /run/keys -m 0750
+        chown root:keys /run/keys
 
         ${optionalString config.deployment.storeKeysOnMachine
             (concatStrings (mapAttrsToList (name: value:

diff --git a/nixops/backends/__init__.py b/nixops/backends/__init__.py
@@ -175,7 +175,8 @@ def reboot_rescue(self, hard=False):
 
     def send_keys(self):
         if self.store_keys_on_machine: return
-        self.run_command("mkdir -m 0700 -p /run/keys")
+        self.run_command("mkdir -m 0750 -p /run/keys"
+                         " && chown root:keys /run/keys")
         for k, v in self.get_keys().items():
             self.log("uploading key ‘{0}’...".format(k))
             tmp = self.depl.tempdir + "/key-" + self.name