nixos/lldap: bootstrap jwt_secret
if not provided
If not provided, lldap defaults to `secretjwtsecret` as value which is hardcoded in the code base. See https://github.com/lldap/lldap/blob/v0.5.0/server/src/infra/configuration.rs#L76-L77 This is really bad, because it is trivially easy to generate an admin access token/cookie as attacker, if a `jwt_secret` is known.
This commit is contained in:
parent
bc3604ee35
commit
61a651e362
@ -107,8 +107,21 @@ in
|
||||
wants = [ "network-online.target" ];
|
||||
after = [ "network-online.target" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
# lldap defaults to a hardcoded `jwt_secret` value if none is provided, which is bad, because
|
||||
# an attacker could create a valid admin jwt access token fairly trivially.
|
||||
# Because there are 3 different ways `jwt_secret` can be provided, we check if any one of them is present,
|
||||
# and if not, bootstrap a secret in `/var/lib/lldap/jwt_secret_file` and give that to lldap.
|
||||
script = lib.optionalString (!cfg.settings ? jwt_secret) ''
|
||||
if [[ -z "$LLDAP_JWT_SECRET_FILE" ]] && [[ -z "$LLDAP_JWT_SECRET" ]]; then
|
||||
if [[ ! -e "./jwt_secret_file" ]]; then
|
||||
${lib.getExe pkgs.openssl} rand -base64 -out ./jwt_secret_file 32
|
||||
fi
|
||||
export LLDAP_JWT_SECRET_FILE="./jwt_secret_file"
|
||||
fi
|
||||
'' + ''
|
||||
${lib.getExe cfg.package} run --config-file ${format.generate "lldap_config.toml" cfg.settings}
|
||||
'';
|
||||
serviceConfig = {
|
||||
ExecStart = "${lib.getExe cfg.package} run --config-file ${format.generate "lldap_config.toml" cfg.settings}";
|
||||
StateDirectory = "lldap";
|
||||
WorkingDirectory = "%S/lldap";
|
||||
User = "lldap";
|
||||
|
Loading…
Reference in New Issue
Block a user