How do I install a file with custom permissions?

How do I install a file with custom permissions?

[Timo Wilken]

Hi Guixers,

I'm trying to patch the `wireguard-service-type' to accept pre-shared
keys and add them to the generated config. This all seems to work
fine, except that I can't get guix to generate a non-world-readable
configuration file.

I've tried adding a `(chmod port #o400)' call to the end of the lambda
that generates the config file (gnu/services/vpn.scm lines 784-838),
but that seems to have no effect -- the resulting file at
/gnu/store/...-wireguard-config/wg0.conf is still
world-readable. Adding `(chmod #$config-file #o400)' after the
`call-with-output-file' call doesn't work either.

What do I need to do to make guix install the generated config file
with 0400 permissions?

Cheers,
Timo

Re: How do I install a file with custom permissions?

[Julien Lepiller]

Hi Timo,

Files in the store are always world-readable and there's nothing you can do to change that. There has been discussions in the past about how to handle secrets in the store, but no solution so far.

One thing you can do, if wireguard allows it, is to have the pre-shared key in a separate file out of the store and simply point the config to that file (instead of using a file-like object). This is how we handle other secrets so far.

Le 29 novembre 2022 20:24:13 GMT+01:00, Timo Wilken <guix@twilken.net> a écrit :
>Hi Guixers,
>
>I'm trying to patch the `wireguard-service-type' to accept pre-shared
>keys and add them to the generated config. This all seems to work
>fine, except that I can't get guix to generate a non-world-readable
>configuration file.
>
>I've tried adding a `(chmod port #o400)' call to the end of the lambda
>that generates the config file (gnu/services/vpn.scm lines 784-838),
>but that seems to have no effect -- the resulting file at
>/gnu/store/...-wireguard-config/wg0.conf is still
>world-readable. Adding `(chmod #$config-file #o400)' after the
>`call-with-output-file' call doesn't work either.
>
>What do I need to do to make guix install the generated config file
>with 0400 permissions?
>
>Cheers,
>Timo
>

Re: How do I install a file with custom permissions?

[Tobias Geerinckx-Rice]

[-- Attachment #1: Type: text/plain, Size: 1325 bytes --]

Hi Timo,

Timo Wilken 写道：
> I'm trying to patch the `wireguard-service-type' to accept 
> pre-shared
> keys and add them to the generated config. This all seems to 
> work
> fine, except that I can't get guix to generate a 
> non-world-readable
> configuration file.

Alas (for your plans), this is not possible.  Guix's store model, 
inherited from Nix, is a word-readable heap.

Dealing with secrets outside of the store is one area where Nix is 
‘ahead’ of Guix, in that they seem to have multiple solutions[0]. 
Very Nix.

Guix users currently use strategies similar to the second half of 
that table: the secret is placed outside of the store, not managed 
through Guix, and the Guix service/package is pointed to it at run 
time.  Every search result for ‘secrets’ in the Guix manual is 
part of such a primitive scheme.

This is how Wireguard is set up on berlin, the Guix build farm. 
/etc/wireguard/private.key was generated manually and Guix never 
deals with it.

If you want to add secrets to Guix services, you'll have to design 
a general mechanism for doing so first.  I don't have links handy 
but I'm sure there's prior discussion, perhaps even art, on the 
mailing lists.

Sorry,

T G-R

[0]: https://nixos.wiki/wiki/Comparison_of_secret_managing_schemes

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 247 bytes --]

Re: How do I install a file with custom permissions?

[Timo Wilken]

Hi Julien,

Thanks! It did seem slightly odd to me how `wireguard-service-type'
set the private key in a bit of a roundabout way, by referring to an
external file. I'll try and set the pre-shared keys the same way.

Cheers,
Timo


On Tue, Nov 29, 2022 at 08:34:21PM +0100, Julien Lepiller wrote:
> Hi Timo,
> 
> Files in the store are always world-readable and there's nothing you can do to change that. There has been discussions in the past about how to handle secrets in the store, but no solution so far.
> 
> One thing you can do, if wireguard allows it, is to have the pre-shared key in a separate file out of the store and simply point the config to that file (instead of using a file-like object). This is how we handle other secrets so far.
> 
> Le 29 novembre 2022 20:24:13 GMT+01:00, Timo Wilken <guix@twilken.net> a écrit :
> >Hi Guixers,
> >
> >I'm trying to patch the `wireguard-service-type' to accept pre-shared
> >keys and add them to the generated config. This all seems to work
> >fine, except that I can't get guix to generate a non-world-readable
> >configuration file.
> >
> >I've tried adding a `(chmod port #o400)' call to the end of the lambda
> >that generates the config file (gnu/services/vpn.scm lines 784-838),
> >but that seems to have no effect -- the resulting file at
> >/gnu/store/...-wireguard-config/wg0.conf is still
> >world-readable. Adding `(chmod #$config-file #o400)' after the
> >`call-with-output-file' call doesn't work either.
> >
> >What do I need to do to make guix install the generated config file
> >with 0400 permissions?
> >
> >Cheers,
> >Timo
> >

Re: How do I install a file with custom permissions?

[Timo Wilken]

Hi Tobias,

On Tue, Nov 29, 2022 at 08:34:44PM +0100, Tobias Geerinckx-Rice wrote:
> Hi Timo,
> 
> Timo Wilken 写道：
> > I'm trying to patch the `wireguard-service-type' to accept pre-shared
> > keys and add them to the generated config. This all seems to work
> > fine, except that I can't get guix to generate a non-world-readable
> > configuration file.
> 
> Alas (for your plans), this is not possible.  Guix's store model, inherited
> from Nix, is a word-readable heap.
> 
> Dealing with secrets outside of the store is one area where Nix is ‘ahead’
> of Guix, in that they seem to have multiple solutions[0]. Very Nix.
> 
> Guix users currently use strategies similar to the second half of that
> table: the secret is placed outside of the store, not managed through Guix,
> and the Guix service/package is pointed to it at run time.  Every search
> result for ‘secrets’ in the Guix manual is part of such a primitive scheme.

Fair enough. Thanks for the pointers!

Cheers,
Timo