[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: How to put a file in /gnu/store and set its permissions
|
From: |
Leo Famulari |
|
Subject: |
Re: How to put a file in /gnu/store and set its permissions |
|
Date: |
Sun, 5 Dec 2021 00:12:58 -0500 |
On Sat, Dec 04, 2021 at 04:47:12PM -0600, Nathan Dehnel wrote:
> https://guix.gnu.org/manual/en/html_node/G_002dExpressions.html
> This says to set #:recursive? #t and guix will preserve its
> permissions in the store. I have done this:
>
> (define guixrig_host_rsa_key
> (local-file "ssh/guixrig_host_rsa_key" #:recursive? #t))
>
> The file this expression puts in the store has permissions of 444,
> despite the original being 400. How do I prevent guix from changing
> permissions, or manually override them?
In general, the store cannot be used to store secrets. By design,
everything in the store is made world-readable despite what permissions
are set, for example in a package definition. I'm not sure if that's
documented in the manual; I don't see it in the manual section The Store
[1].
I'm not sure exactly what code ensures that everything in the store is
readable, but it's probably somewhere in the daemon [0], which is what
writes to the store [1].
The question of how to handle secrets in Guix has been discussed many
times over the years and there are some solutions in various services;
maybe there is a canonical solution now. But basically the idea is to
store the secret outside of the store, like in /etc, as defined in a
service configuration in config.scm.
Hopefully some other people can join the conversation with more specific
advice.
[0]
https://git.savannah.gnu.org/cgit/guix.git/tree/nix?h=v1.3.0
[1] I'd guess that canonicaliseTimestampAndPermissions is always called:
https://guix.gnu.org/manual/en/html_node/The-Store.html