[Nix-dev] Nix(OS) and passwords ? builtins.writeFileToPath proposal

Nicolas Pierron nicolas.b.pierron at gmail.com
Sat Dec 26 14:57:28 CET 2009


Hi Marc,

I though multiple times of this issues.  I see an other solution which
implies the implementation of the following rules:

   - Restricted file/data should not be copied into the store and
should cause the failure of the build process.
   - The permission of a derivation correspond to the intersection of
all dependencies permissions.

Thus you have no risk at copying data which may compromise your
system.  To build your derivation you need a nix store with restricted
access which can inherit derivations from the primary nix store
without copying stuff.  Currently you can use NIX_OTHER_STORES, but
this copies data.

restricted nix/store:  /nix/users/root/store/

On Fri, Dec 25, 2009 at 08:41, Marc Weber <marco-oweber at gmx.de> wrote:
> It is convinient to define passwords in /etc/nixos/configuration.nix.
> However why shouldn't we put passwords there? Because they most porbably
> can be found in some .drv or /nix/store/* files which are world
> readable, correct?
>
> This applies to the extraUsers as well:
>  usersFile = pkgs.writeText "users" (concatStrings (map serializedUser users));
>
> How to remedy this problem?
>
> I'd fix this by adding a new primop writeFileToPath destination text.
>
> then instead of pkgs.writeText you could use
>
> writeFileToPath /root/extraUsers.txt "[ .. file contents .. ]"
>
> Then you have to care about /etc/nixos/configuration.nix that this isn't
> word readable. The nix process run by nixos-rebuild is run by root,
> correct? So nobody can access its memory. It might be the case that nix
> writes the file multiple times which wouldn't matter.
>
> Actually I don't care that much about extraUsers.. I care about creating
> database accounts automatically. This can be done similar to
> extraUsers.. However not every user who can login is allowed to access
> all databases.
>
> So what do you think about builtins.writeFileToPath
> "file-path-no-store-location" "contents" ?
>
> Is there another way to keep passwords top secret *and* specify them in
> one configuration file (/etc/nixos/configuration.nix) which can be
> implemented even faster than this primop ?
>
> Marc Weber
> _______________________________________________
> nix-dev mailing list
> nix-dev at cs.uu.nl
> https://mail.cs.uu.nl/mailman/listinfo/nix-dev
>



-- 
Nicolas Pierron
http://www.linkedin.com/in/nicolasbpierron - http://nbp.name/
Lars Rasmussen (Google IO 2009) - Icland is an icland.



More information about the nix-dev mailing list