JakeHillion/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

iodine: improve password handling (#58806)

Browse Source 
Before this change, only passwords not containing shell metacharacters could be
used, and because the password was passed as a command-line argument, local
users could (in a very small window of time) record the password and (in an
indefinity window of time) record the length of the password.

We also use the opportunity to add a call to `exec` in the systemd start
script, so that no shell needs to hang around waiting for iodine to stop.
This commit is contained in:
Ingo Blechschmidt 2019-04-08 21:20:26 +02:00 committed by xeji
parent 67c5d04fee
commit efff2e1aa6
1 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
nixos/modules/services/networking/iodine.nix
View File

@ -63,7 +63,7 @@ in
passwordFile = mkOption { passwordFile = mkOption {
type = types.str; type = types.str;
default = ""; default = "";
description = "File that containts password"; description = "File that contains password";
}; };
}; };
})); }));
@ -100,7 +100,7 @@ in
passwordFile = mkOption { passwordFile = mkOption {
type = types.str; type = types.str;
default = ""; default = "";
description = "File that containts password"; description = "File that contains password";
}; };
}; };
@ -120,7 +120,7 @@ in
description = "iodine client - ${name}"; description = "iodine client - ${name}";
after = [ "network.target" ]; after = [ "network.target" ];
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
script = "${pkgs.iodine}/bin/iodine -f -u ${iodinedUser} ${cfg.extraConfig} ${optionalString (cfg.passwordFile != "") "-P $(cat \"${cfg.passwordFile}\")"} ${cfg.relay} ${cfg.server}"; script = "exec ${pkgs.iodine}/bin/iodine -f -u ${iodinedUser} ${cfg.extraConfig} ${optionalString (cfg.passwordFile != "") "< \"${cfg.passwordFile}\""} ${cfg.relay} ${cfg.server}";
serviceConfig = { serviceConfig = {
RestartSec = "30s"; RestartSec = "30s";
Restart = "always"; Restart = "always";
@ -136,7 +136,7 @@ in
description = "iodine, ip over dns server daemon"; description = "iodine, ip over dns server daemon";
after = [ "network.target" ]; after = [ "network.target" ];
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
script = "${pkgs.iodine}/bin/iodined -f -u ${iodinedUser} ${cfg.server.extraConfig} ${optionalString (cfg.server.passwordFile != "") "-P $(cat \"${cfg.server.passwordFile}\")"} ${cfg.server.ip} ${cfg.server.domain}"; script = "exec ${pkgs.iodine}/bin/iodined -f -u ${iodinedUser} ${cfg.server.extraConfig} ${optionalString (cfg.server.passwordFile != "") "< \"${cfg.server.passwordFile}\""} ${cfg.server.ip} ${cfg.server.domain}";
}; };
}; };