[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: How to put a file in /gnu/store and set its permissions

From: Leo Famulari
Subject: Re: How to put a file in /gnu/store and set its permissions
Date: Sun, 5 Dec 2021 00:12:58 -0500

On Sat, Dec 04, 2021 at 04:47:12PM -0600, Nathan Dehnel wrote:
> This says to set #:recursive? #t and guix will preserve its
> permissions in the store. I have done this:
> (define guixrig_host_rsa_key
>     (local-file "ssh/guixrig_host_rsa_key" #:recursive? #t))
> The file this expression puts in the store has permissions of 444,
> despite the original being 400. How do I prevent guix from changing
> permissions, or manually override them?

In general, the store cannot be used to store secrets.  By design,
everything in the store is made world-readable despite what permissions
are set, for example in a package definition. I'm not sure if that's
documented in the manual; I don't see it in the manual section The Store

I'm not sure exactly what code ensures that everything in the store is
readable, but it's probably somewhere in the daemon [0], which is what
writes to the store [1].

The question of how to handle secrets in Guix has been discussed many
times over the years and there are some solutions in various services;
maybe there is a canonical solution now. But basically the idea is to
store the secret outside of the store, like in /etc, as defined in a
service configuration in config.scm.

Hopefully some other people can join the conversation with more specific


[1] I'd guess that canonicaliseTimestampAndPermissions is always called:

reply via email to

[Prev in Thread] Current Thread [Next in Thread]