[Nix-dev] Nix(OS) and passwords ? builtins.writeFileToPath proposal
Marc Weber
marco-oweber at gmx.de
Fri Dec 25 08:41:50 CET 2009
It is convinient to define passwords in /etc/nixos/configuration.nix.
However why shouldn't we put passwords there? Because they most porbably
can be found in some .drv or /nix/store/* files which are world
readable, correct?
This applies to the extraUsers as well:
usersFile = pkgs.writeText "users" (concatStrings (map serializedUser users));
How to remedy this problem?
I'd fix this by adding a new primop writeFileToPath destination text.
then instead of pkgs.writeText you could use
writeFileToPath /root/extraUsers.txt "[ .. file contents .. ]"
Then you have to care about /etc/nixos/configuration.nix that this isn't
word readable. The nix process run by nixos-rebuild is run by root,
correct? So nobody can access its memory. It might be the case that nix
writes the file multiple times which wouldn't matter.
Actually I don't care that much about extraUsers.. I care about creating
database accounts automatically. This can be done similar to
extraUsers.. However not every user who can login is allowed to access
all databases.
So what do you think about builtins.writeFileToPath
"file-path-no-store-location" "contents" ?
Is there another way to keep passwords top secret *and* specify them in
one configuration file (/etc/nixos/configuration.nix) which can be
implemented even faster than this primop ?
Marc Weber
More information about the nix-dev
mailing list