Skip to content

netbird: the final config files are world-readable (not from /nix/store) #371286

New issue
New issue
Closed
#371315
Closed
netbird: the final config files are world-readable (not from /nix/store)#371286
#371315
Labels
0.kind: bugSomething is broken
@mrshiposha

Description

@mrshiposha
mrshiposha
opened on Jan 5, 2025

Describe the bug

The secrets in the generated config files are world-readable (though NOT from /nix/store).

Steps To Reproduce

Steps to reproduce the behavior:

  1. configure the netbird module and try to run it
  2. systemctl cat netbird-management.service
  3. Notice that the ExecStart contains "management" "--config" "/var/lib/netbird-mgmt/management.json"
  4. ls -l /var/lib/netbird-mgmt/management.json shows -rw-r--r--, i.e. it's world-readable
  5. cat /var/lib/netbird-mgmt/management.json contains the secrets exposed: ClientSecret, DataStoreEncryptionKey, etc.

Expected behavior

It seems reasonable that secrets shouldn't be world-readable despite their location in the file system.

Metadata

 - system: `"x86_64-linux"`
 - host os: `Linux 6.12.8, NixOS, 24.11 (Vicuna), 24.11.20250104.8f1fa8d`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.24.11`
 - nixpkgs: `/nix/store/bxgbwjm05kmrzvrfg59f3dzpxyvvhrx5-source`

Notify maintainers

@PatrickDaG

Add a 👍 reaction to issues you find important.

Metadata

Metadata

Assignees

No one assigned

    Labels

    0.kind: bugSomething is broken

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions