From 4c8bdd1c4f6aafd96e002e4cae14c0c5798ddfd7 Mon Sep 17 00:00:00 2001 From: Florian Klink Date: Tue, 11 Feb 2020 21:41:04 +0100 Subject: [PATCH] nixos/filesystems: don't chown /run/keys recursively 3c74e48d9c8dbcede89a72ea18cd27def4b498a9 was a bit too much, it updated permissions of all files recursively, causing files to be readable by the group. This isn't a problem immediately after bootup, but on a new activation, as tmpfiles.d get restarted then, updating the permission bits of now-existing files. This updates the `Z` to be a `z` (the non-recursive variant), and adds a `d` to ensure a directory is created (which should be covered by the initrd shell script anyway) --- nixos/modules/tasks/filesystems.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/nixos/modules/tasks/filesystems.nix b/nixos/modules/tasks/filesystems.nix index 965a1c9eb1a6..0ade74b957a0 100644 --- a/nixos/modules/tasks/filesystems.nix +++ b/nixos/modules/tasks/filesystems.nix @@ -305,7 +305,8 @@ in in listToAttrs (map formatDevice (filter (fs: fs.autoFormat) fileSystems)); systemd.tmpfiles.rules = [ - "Z /run/keys 0750 root ${toString config.ids.gids.keys}" + "d /run/keys 0750 root ${toString config.ids.gids.keys}" + "z /run/keys 0750 root ${toString config.ids.gids.keys}" ]; # Sync mount options with systemd's src/core/mount-setup.c: mount_table.