Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

iodine: improve password handling #58806

Merged
merged 1 commit into from Apr 8, 2019
Merged

iodine: improve password handling #58806

merged 1 commit into from Apr 8, 2019

Conversation

iblech
Copy link
Contributor

@iblech iblech commented Apr 2, 2019

Before this change, only passwords not containing shell metacharacters could be used, and because the password was passed as a command-line argument, local users could (in a very small window of time) record the password and (in an indefinity window of time) record the length of the password.

We also use the opportunity to add a call to exec in the systemd start script, so that no shell needs to hang around waiting for iodine to stop.

Motivation for this change
Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nix-review --run "nix-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Assured whether relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@iblech iblech requested a review from infinisil as a code owner April 2, 2019 15:02
@iblech iblech force-pushed the patch-10 branch 2 times, most recently from 72747fe to 3cd1cfc Compare April 2, 2019 15:06
@iblech
iodine: improve password handling
8d3cef4 
Before this change, only passwords not containing shell metacharacters could be
used, and because the password was passed as a command-line argument, local
users could (in a very small window of time) record the password and (in an
indefinity window of time) record the length of the password.

We also use the opportunity to add a call to `exec` in the systemd start
script, so that no shell needs to hang around waiting for iodine to stop.
@xeji xeji merged commit efff2e1 into NixOS:master Apr 8, 2019
iblech added a commit to iblech/nixpkgs that referenced this pull request Apr 13, 2020
@iblech
iodine: improve test in view of NixOS#58806
f379e74
@iblech iblech mentioned this pull request Apr 13, 2020
Merged
10 tasks
worldofpeace added a commit that referenced this pull request Apr 14, 2020
@worldofpeace
Merge pull request #85125 from iblech/patch-iodine-test
57b862b 
iodine: improve test in view of #58806
jappeace pushed a commit to jappeace/nixpkgs that referenced this pull request Apr 17, 2020
@iblech @jappeace
iodine: improve test in view of NixOS#58806
ddd35ea
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@infinisil infinisil infinisil approved these changes

Assignees
No one assigned
Labels
6.topic: nixos 8.has: module (update) 10.rebuild-darwin: 0 10.rebuild-linux: 1-10
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@iblech @infinisil @GrahamcOfBorg @xeji