Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix leaking secret keys: Allow defining keyFiles as strings #1237

Closed
wants to merge 1 commit into from

Conversation

erikarvstedt
Copy link
Member

Only allowing type 'path' forces keyFiles to be copied to the nix store
when deploying, which is a serious security flaw.

Only allowing type 'path' forces keyFiles to be copied to the nix store
when deploying, which is a serious security flaw.
@erikarvstedt erikarvstedt changed the title Allow defining keyFiles as strings Fix leaking secret keys: Allow defining keyFiles as strings Mar 1, 2020
@grahamc
Copy link
Member

grahamc commented Mar 26, 2020

I was checking in to this, and I think there is a bit of a misunderstanding making this unclear. This is totally safe:

{
  mymachine = {
    deployment.keys."wireguard.nix".keyFile = ./wireguard.nix;
  };
}

when NixOps instantiates this, it uses Nix's --xml option, which outputs:

$ nix-instantiate --xml --strict --eval ./flexo/test.nix
<?xml version='1.0' encoding='utf-8'?>
<expr>
  <attrs>
    <attr column="2" line="1" name="deployment" path="/home/grahamc/projects/github.com/grahamc/network/flexo/test.nix">
      <attrs>
        <attr column="2" line="1" name="keys" path="/home/grahamc/projects/github.com/grahamc/network/flexo/test.nix">
          <attrs>
            <attr column="2" line="1" name="wireguard.nix" path="/home/grahamc/projects/github.com/grahamc/network/flexo/test.nix">
              <attrs>
                <attr column="2" line="1" name="keyFile" path="/home/grahamc/projects/github.com/grahamc/network/flexo/test.nix">
                  <path value="/home/grahamc/projects/github.com/grahamc/network/flexo/wireguard.nix" />
                </attr>
              </attrs>
            </attr>
          </attrs>
        </attr>
      </attrs>
    </attr>
  </attrs>
</expr>

If you use --json, you see a much scarier option:

$ nix-instantiate --json --strict --eval ./flexo/test.nix
{"deployment":{"keys":{"wireguard.nix":{"keyFile":"/nix/store/6zqi994kn704la75wj5kygphfr2xdgg2-wireguard.nix"}}}}

but that file is never copied in:

[nix-shell:~/projects/github.com/grahamc/network]$ file /nix/store/6zqi994kn704la75wj5kygphfr2xdgg2-wireguard.nix
/nix/store/6zqi994kn704la75wj5kygphfr2xdgg2-wireguard.nix: cannot open `/nix/store/6zqi994kn704la75wj5kygphfr2xdgg2-wireguard.nix' (No such file or directory)

IN GENERAL, your note about using secrets as paths in a Nix expression IS dangerous, and NixOps in this case takes specific steps to make it safeR.

I confirmed this is the case with strace:

$ strace --string-limit=2000 -f nixops send-keys --include flexo --debug  2>&1 | grep 'wireguard.nix'
pread64(5, " \"wireguard.nix\": {\"keyFile\": \"/home/grahamc/projects/github.com/grahamc/network/flexo/wireguard.nix\", \"destDir\": \"/run/keys\", \"user\": \"root\", \"group\": \"root\", \"permissions\": \"0600\"}}\0\0\1^\0...c"..., 4096, 61440) = 4096
[pid  7913] sendto(4, "<12>nixops[7902]: flexo.......> uploading key \342\200\230wireguard.nix\342\200\231...\0", 69, 0, NULL, 0) = 69
[pid  7913] write(2, "flexo.......> uploading key \342\200\230wireguard.nix\342\200\231...\n", 51flexo.......> uploading key ‘wireguard.nix’...
[pid  7929] execve("/nix/store/n8nviwmllwqv0fjsar8v8k8gjap1vhcw-python3-3.7.6/bin/cp", ["cp", "/home/grahamc/projects/github.com/grahamc/network/flexo/wireguard.nix", "/run/user/1000/nixops-tmp1_8xbnuw/key-flexo"], 0x7ffff45ccb40 /* 129 vars */) = -1 ENOENT (No such file or directory)
[pid  7929] execve("/nix/store/58bx44mpnkp3mwfjx7i7h8w63knmxwi7-nixops-1.8.0/bin/cp", ["cp", "/home/grahamc/projects/github.com/grahamc/network/flexo/wireguard.nix", "/run/user/1000/nixops-tmp1_8xbnuw/key-flexo"], 0x7ffff45ccb40 /* 129 vars */) = -1 ENOENT (No such file or directory)
[pid  7929] execve("/nix/store/s11rvjgyc3ascbbfppgq5r0hfnz7m5kd-openssh-8.2p1/bin/cp", ["cp", "/home/grahamc/projects/github.com/grahamc/network/flexo/wireguard.nix", "/run/user/1000/nixops-tmp1_8xbnuw/key-flexo"], 0x7ffff45ccb40 /* 129 vars */) = -1 ENOENT (No such file or directory)
[pid  7929] execve("/nix/store/l52pcvigxfbmxai35ngazvdnli3gifj2-python3.7-docutils-0.15.2/bin/cp", ["cp", "/home/grahamc/projects/github.com/grahamc/network/flexo/wireguard.nix", "/run/user/1000/nixops-tmp1_8xbnuw/key-flexo"], 0x7ffff45ccb40 /* 129 vars */) = -1 ENOENT (No such file or directory)
[pid  7929] execve("/nix/store/2ys6vcmzkc14ml844i7h99kmvicq7h63-python3.7-jmespath-0.9.5/bin/cp", ["cp", "/home/grahamc/projects/github.com/grahamc/network/flexo/wireguard.nix", "/run/user/1000/nixops-tmp1_8xbnuw/key-flexo"], 0x7ffff45ccb40 /* 129 vars */) = -1 ENOENT (No such file or directory)
[pid  7929] execve("/nix/store/yg1wcw84k83wpfdn6vd28qig64jfrkgz-python3.7-setuptools-44.0.0/bin/cp", ["cp", "/home/grahamc/projects/github.com/grahamc/network/flexo/wireguard.nix", "/run/user/1000/nixops-tmp1_8xbnuw/key-flexo"], 0x7ffff45ccb40 /* 129 vars */) = -1 ENOENT (No such file or directory)
[pid  7929] execve("/nix/store/jirzjbbpl4j2kl2f01cfnrralxr5aw7a-bash-interactive-4.4-p23/bin/cp", ["cp", "/home/grahamc/projects/github.com/grahamc/network/flexo/wireguard.nix", "/run/user/1000/nixops-tmp1_8xbnuw/key-flexo"], 0x7ffff45ccb40 /* 129 vars */) = -1 ENOENT (No such file or directory)
[pid  7929] execve("/nix/store/ck9xy9qgpjhp3k80pwhlff9mq80w3ax5-patchelf-0.9/bin/cp", ["cp", "/home/grahamc/projects/github.com/grahamc/network/flexo/wireguard.nix", "/run/user/1000/nixops-tmp1_8xbnuw/key-flexo"], 0x7ffff45ccb40 /* 129 vars */) = -1 ENOENT (No such file or directory)
[pid  7929] execve("/nix/store/6lw4ansnm3dr08zf5nmcs9s92q9rhfxc-gcc-wrapper-9.2.0/bin/cp", ["cp", "/home/grahamc/projects/github.com/grahamc/network/flexo/wireguard.nix", "/run/user/1000/nixops-tmp1_8xbnuw/key-flexo"], 0x7ffff45ccb40 /* 129 vars */) = -1 ENOENT (No such file or directory)
[pid  7929] execve("/nix/store/va2z9a5k1ds65pxg7kfrs3p38zxk157k-gcc-9.2.0/bin/cp", ["cp", "/home/grahamc/projects/github.com/grahamc/network/flexo/wireguard.nix", "/run/user/1000/nixops-tmp1_8xbnuw/key-flexo"], 0x7ffff45ccb40 /* 129 vars */) = -1 ENOENT (No such file or directory)
[pid  7929] execve("/nix/store/ad115wnlpndz5xkkvz19k2ihsb5cdqpz-glibc-2.30-bin/bin/cp", ["cp", "/home/grahamc/projects/github.com/grahamc/network/flexo/wireguard.nix", "/run/user/1000/nixops-tmp1_8xbnuw/key-flexo"], 0x7ffff45ccb40 /* 129 vars */) = -1 ENOENT (No such file or directory)
[pid  7929] execve("/nix/store/3qgg8xzdyfd7nql0qlkb1xpnrfz4k1s2-coreutils-8.31/bin/cp", ["cp", "/home/grahamc/projects/github.com/grahamc/network/flexo/wireguard.nix", "/run/user/1000/nixops-tmp1_8xbnuw/key-flexo"], 0x7ffff45ccb40 /* 129 vars */ <unfinished ...>
[pid  7929] stat("/home/grahamc/projects/github.com/grahamc/network/flexo/wireguard.nix", {st_mode=S_IFREG|0644, st_size=2459, ...}) = 0
[pid  7929] openat(AT_FDCWD, "/home/grahamc/projects/github.com/grahamc/network/flexo/wireguard.nix", O_RDONLY) = 3
[pid  7930] execve("/nix/store/n8nviwmllwqv0fjsar8v8k8gjap1vhcw-python3-3.7.6/bin/ssh", ["ssh", "-oControlPath=/run/user/1000/nixops-ssh-tmp8izrcsbm/master-socket", "-p", "22", "-o", "StrictHostKeyChecking=accept-new", "-i", "/run/user/1000/nixops-tmp1_8xbnuw/id_nixops-flexo", "-p", "22", "-o", "StrictHostKeyChecking=accept-new", "-i", "/run/user/1000/nixops-tmp1_8xbnuw/id_nixops-flexo", "-x", "root@147.75.105.137", "--", "rm -f '/run/keys/wireguard.nix' '/run/keys/.wireguard.nix.tmp'"], 0x7ffff45ccb40 /* 129 vars */) = -1 ENOENT (No such file or directory)
[pid  7930] execve("/nix/store/58bx44mpnkp3mwfjx7i7h8w63knmxwi7-nixops-1.8.0/bin/ssh", ["ssh", "-oControlPath=/run/user/1000/nixops-ssh-tmp8izrcsbm/master-socket", "-p", "22", "-o", "StrictHostKeyChecking=accept-new", "-i", "/run/user/1000/nixops-tmp1_8xbnuw/id_nixops-flexo", "-p", "22", "-o", "StrictHostKeyChecking=accept-new", "-i", "/run/user/1000/nixops-tmp1_8xbnuw/id_nixops-flexo", "-x", "root@147.75.105.137", "--", "rm -f '/run/keys/wireguard.nix' '/run/keys/.wireguard.nix.tmp'"], 0x7ffff45ccb40 /* 129 vars */) = -1 ENOENT (No such file or directory)
[pid  7930] execve("/nix/store/s11rvjgyc3ascbbfppgq5r0hfnz7m5kd-openssh-8.2p1/bin/ssh", ["ssh", "-oControlPath=/run/user/1000/nixops-ssh-tmp8izrcsbm/master-socket", "-p", "22", "-o", "StrictHostKeyChecking=accept-new", "-i", "/run/user/1000/nixops-tmp1_8xbnuw/id_nixops-flexo", "-p", "22", "-o", "StrictHostKeyChecking=accept-new", "-i", "/run/user/1000/nixops-tmp1_8xbnuw/id_nixops-flexo", "-x", "root@147.75.105.137", "--", "rm -f '/run/keys/wireguard.nix' '/run/keys/.wireguard.nix.tmp'"], 0x7ffff45ccb40 /* 129 vars */ <unfinished ...>
[pid  7930] write(3, "\0\0\0o\20\0\0\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0~\0\0\0\talacritty\0\0\0>rm -f '/run/keys/wireguard.nix' '/run/keys/.wireguard.nix.tmp'", 115) = 115
[pid  7921] <... read resumed>"\20\0\0\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0~\0\0\0\talacritty\0\0\0>rm -f '/run/keys/wireguard.nix' '/run/keys/.wireguard.nix.tmp'", 111) = 111
[pid  7931] execve("/nix/store/n8nviwmllwqv0fjsar8v8k8gjap1vhcw-python3-3.7.6/bin/scp", ["scp", "-P", "22", "-o", "StrictHostKeyChecking=accept-new", "-i", "/run/user/1000/nixops-tmp1_8xbnuw/id_nixops-flexo", "-oControlPath=/run/user/1000/nixops-ssh-tmp8izrcsbm/master-socket", "/run/user/1000/nixops-tmp1_8xbnuw/key-flexo", "root@147.75.105.137:/run/keys/.wireguard.nix.tmp"], 0x7ffff45ccb40 /* 129 vars */) = -1 ENOENT (No such file or directory)
[pid  7931] execve("/nix/store/58bx44mpnkp3mwfjx7i7h8w63knmxwi7-nixops-1.8.0/bin/scp", ["scp", "-P", "22", "-o", "StrictHostKeyChecking=accept-new", "-i", "/run/user/1000/nixops-tmp1_8xbnuw/id_nixops-flexo", "-oControlPath=/run/user/1000/nixops-ssh-tmp8izrcsbm/master-socket", "/run/user/1000/nixops-tmp1_8xbnuw/key-flexo", "root@147.75.105.137:/run/keys/.wireguard.nix.tmp"], 0x7ffff45ccb40 /* 129 vars */) = -1 ENOENT (No such file or directory)
[pid  7931] execve("/nix/store/s11rvjgyc3ascbbfppgq5r0hfnz7m5kd-openssh-8.2p1/bin/scp", ["scp", "-P", "22", "-o", "StrictHostKeyChecking=accept-new", "-i", "/run/user/1000/nixops-tmp1_8xbnuw/id_nixops-flexo", "-oControlPath=/run/user/1000/nixops-ssh-tmp8izrcsbm/master-socket", "/run/user/1000/nixops-tmp1_8xbnuw/key-flexo", "root@147.75.105.137:/run/keys/.wireguard.nix.tmp"], 0x7ffff45ccb40 /* 129 vars */ <unfinished ...>
[pid  7932] execve("/nix/store/s11rvjgyc3ascbbfppgq5r0hfnz7m5kd-openssh-8.2p1/bin/ssh", ["/nix/store/s11rvjgyc3ascbbfppgq5r0hfnz7m5kd-openssh-8.2p1/bin/ssh", "-x", "-oForwardAgent=no", "-oPermitLocalCommand=no", "-oClearAllForwardings=yes", "-oRemoteCommand=none", "-oRequestTTY=no", "-o", "StrictHostKeyChecking=accept-new", "-i", "/run/user/1000/nixops-tmp1_8xbnuw/id_nixops-flexo", "-o", "ControlPath=/run/user/1000/nixops-ssh-tmp8izrcsbm/master-socket", "-p", "22", "-l", "root", "--", "147.75.105.137", "scp -t /run/keys/.wireguard.nix.tmp"], 0x7ffdaa608fa0 /* 129 vars */) = 0
[pid  7932] write(3, "\0\0\0T\20\0\0\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0~\0\0\0\talacritty\0\0\0#scp -t /run/keys/.wireguard.nix.tmp", 88) = 88
[pid  7921] <... read resumed>"\20\0\0\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0~\0\0\0\talacritty\0\0\0#scp -t /run/keys/.wireguard.nix.tmp", 84) = 84

[pid  7933] execve("/nix/store/n8nviwmllwqv0fjsar8v8k8gjap1vhcw-python3-3.7.6/bin/ssh", ["ssh", "-oControlPath=/run/user/1000/nixops-ssh-tmp8izrcsbm/master-socket", "-p", "22", "-o", "StrictHostKeyChecking=accept-new", "-i", "/run/user/1000/nixops-tmp1_8xbnuw/id_nixops-flexo", "-p", "22", "-o", "StrictHostKeyChecking=accept-new", "-i", "/run/user/1000/nixops-tmp1_8xbnuw/id_nixops-flexo", "-x", "root@147.75.105.137", "--", "(  getent passwd 'root' >/dev/null &&  getent group 'root' >/dev/null &&  chown 'root:root' '/run/keys/.wireguard.nix.tmp' ); chmod '0600' '/run/keys/.wireguard.nix.tmp'"], 0x7ffff45ccb40 /* 129 vars */) = -1 ENOENT (No such file or directory)
[pid  7933] execve("/nix/store/58bx44mpnkp3mwfjx7i7h8w63knmxwi7-nixops-1.8.0/bin/ssh", ["ssh", "-oControlPath=/run/user/1000/nixops-ssh-tmp8izrcsbm/master-socket", "-p", "22", "-o", "StrictHostKeyChecking=accept-new", "-i", "/run/user/1000/nixops-tmp1_8xbnuw/id_nixops-flexo", "-p", "22", "-o", "StrictHostKeyChecking=accept-new", "-i", "/run/user/1000/nixops-tmp1_8xbnuw/id_nixops-flexo", "-x", "root@147.75.105.137", "--", "(  getent passwd 'root' >/dev/null &&  getent group 'root' >/dev/null &&  chown 'root:root' '/run/keys/.wireguard.nix.tmp' ); chmod '0600' '/run/keys/.wireguard.nix.tmp'"], 0x7ffff45ccb40 /* 129 vars */) = -1 ENOENT (No such file or directory)
[pid  7933] execve("/nix/store/s11rvjgyc3ascbbfppgq5r0hfnz7m5kd-openssh-8.2p1/bin/ssh", ["ssh", "-oControlPath=/run/user/1000/nixops-ssh-tmp8izrcsbm/master-socket", "-p", "22", "-o", "StrictHostKeyChecking=accept-new", "-i", "/run/user/1000/nixops-tmp1_8xbnuw/id_nixops-flexo", "-p", "22", "-o", "StrictHostKeyChecking=accept-new", "-i", "/run/user/1000/nixops-tmp1_8xbnuw/id_nixops-flexo", "-x", "root@147.75.105.137", "--", "(  getent passwd 'root' >/dev/null &&  getent group 'root' >/dev/null &&  chown 'root:root' '/run/keys/.wireguard.nix.tmp' ); chmod '0600' '/run/keys/.wireguard.nix.tmp'"], 0x7ffff45ccb40 /* 129 vars */ <unfinished ...>
[pid  7933] write(3, "\0\0\0\332\20\0\0\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0~\0\0\0\talacritty\0\0\0\251(  getent passwd 'root' >/dev/null &&  getent group 'root' >/dev/null &&  chown 'root:root' '/run/keys/.wireguard.nix.tmp' ); chmod '0600' '/run/keys/.wireguard.nix.tmp'", 222) = 222
[pid  7921] <... read resumed>"\20\0\0\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0~\0\0\0\talacritty\0\0\0\251(  getent passwd 'root' >/dev/null &&  getent group 'root' >/dev/null &&  chown 'root:root' '/run/keys/.wireguard.nix.tmp' ); chmod '0600' '/run/keys/.wireguard.nix.tmp'", 218) = 218
[pid  7934] execve("/nix/store/n8nviwmllwqv0fjsar8v8k8gjap1vhcw-python3-3.7.6/bin/ssh", ["ssh", "-oControlPath=/run/user/1000/nixops-ssh-tmp8izrcsbm/master-socket", "-p", "22", "-o", "StrictHostKeyChecking=accept-new", "-i", "/run/user/1000/nixops-tmp1_8xbnuw/id_nixops-flexo", "-p", "22", "-o", "StrictHostKeyChecking=accept-new", "-i", "/run/user/1000/nixops-tmp1_8xbnuw/id_nixops-flexo", "-x", "root@147.75.105.137", "--", "mv '/run/keys/.wireguard.nix.tmp' '/run/keys/wireguard.nix'"], 0x7ffff45ccb40 /* 129 vars */) = -1 ENOENT (No such file or directory)
[pid  7934] execve("/nix/store/58bx44mpnkp3mwfjx7i7h8w63knmxwi7-nixops-1.8.0/bin/ssh", ["ssh", "-oControlPath=/run/user/1000/nixops-ssh-tmp8izrcsbm/master-socket", "-p", "22", "-o", "StrictHostKeyChecking=accept-new", "-i", "/run/user/1000/nixops-tmp1_8xbnuw/id_nixops-flexo", "-p", "22", "-o", "StrictHostKeyChecking=accept-new", "-i", "/run/user/1000/nixops-tmp1_8xbnuw/id_nixops-flexo", "-x", "root@147.75.105.137", "--", "mv '/run/keys/.wireguard.nix.tmp' '/run/keys/wireguard.nix'"], 0x7ffff45ccb40 /* 129 vars */) = -1 ENOENT (No such file or directory)
[pid  7934] execve("/nix/store/s11rvjgyc3ascbbfppgq5r0hfnz7m5kd-openssh-8.2p1/bin/ssh", ["ssh", "-oControlPath=/run/user/1000/nixops-ssh-tmp8izrcsbm/master-socket", "-p", "22", "-o", "StrictHostKeyChecking=accept-new", "-i", "/run/user/1000/nixops-tmp1_8xbnuw/id_nixops-flexo", "-p", "22", "-o", "StrictHostKeyChecking=accept-new", "-i", "/run/user/1000/nixops-tmp1_8xbnuw/id_nixops-flexo", "-x", "root@147.75.105.137", "--", "mv '/run/keys/.wireguard.nix.tmp' '/run/keys/wireguard.nix'"], 0x7ffff45ccb40 /* 129 vars */ <unfinished ...>
[pid  7934] write(3, "\0\0\0l\20\0\0\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0~\0\0\0\talacritty\0\0\0;mv '/run/keys/.wireguard.nix.tmp' '/run/keys/wireguard.nix'", 112) = 112
[pid  7921] <... read resumed>"\20\0\0\2\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0~\0\0\0\talacritty\0\0\0;mv '/run/keys/.wireguard.nix.tmp' '/run/keys/wireguard.nix'", 108) = 108

that said, being able to pass a string here makes sense, too.

Copy link
Member

@grahamc grahamc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This requires patching the option as well: https://github.com/NixOS/nixops/blob/master/nix/keys.nix#L25

@grahamc
Copy link
Member

grahamc commented Apr 15, 2020

Feel free to open again once you update the other bit!

@grahamc grahamc closed this Apr 15, 2020
@grahamc grahamc added this to the 2.0 milestone Apr 20, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants