From 8eb814e964bb89e7f996258803626d5d1aa54726 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B8rn=20Forsman?= Date: Tue, 7 Dec 2021 10:15:34 +0100 Subject: [PATCH] Revert "nixos/ddclient: fix permission for ddclient.conf (#148179)" This reverts commit 6af3d13bec9b13e8fa8e19594ffbcbe085387bdd. Reported by @arcnmx (https://github.com/NixOS/nixpkgs/pull/148179#issuecomment-987197656): Does this not completely break the service? It doesn't change the owner to the same as the ddclient server (which is somewhat difficult due to it being a DynamicUser), so this now makes the service completely unusable because the config is only readable by its owner, root: ddclient[871397]: WARNING: file /run/ddclient/ddclient.conf: Cannot open file '/run/ddclient/ddclient.conf'. (Permission denied) Given that the RuntimeDirectory was only readable by the ddclient service, the warning this PR fixes was spurious and not indicative of an actual information leak. I'm not sure of what a quick fix would be due to DynamicUser, but would at least request a revert of this so the service can work again? --- nixos/modules/services/networking/ddclient.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/modules/services/networking/ddclient.nix b/nixos/modules/services/networking/ddclient.nix index 021b28d5c34f..8a2c0fc7080c 100644 --- a/nixos/modules/services/networking/ddclient.nix +++ b/nixos/modules/services/networking/ddclient.nix @@ -29,7 +29,7 @@ let configFile = if (cfg.configFile != null) then cfg.configFile else configFile'; preStart = '' - install --mode=0400 ${configFile} /run/${RuntimeDirectory}/ddclient.conf + install ${configFile} /run/${RuntimeDirectory}/ddclient.conf ${lib.optionalString (cfg.configFile == null) (if (cfg.passwordFile != null) then '' password=$(printf "%q" "$(head -n 1 "${cfg.passwordFile}")") sed -i "s|^password=$|password=$password|" /run/${RuntimeDirectory}/ddclient.conf