I have noticed that when I write a file via environment.etc in /etc and specify a mode, the same file is created in /etc/static but with read permissions for all.
Now I have a usecase that I want to put a file in /etc that can only be read by root. However, anyone can now read this file in /etc/static.
environment.etc."my-secret-file" = {
text = "MySecret";
mode = "0600";
};
ls -la /etc/my-secret-file
Permissions Size User Group Date Modified Name
.rw------- 8 root root 22 Sep 12:16 /etc/my-secret-file
ls -la /etc/static/my-secret-file
Permissions Size User Group Date Modified Name
lrwxrwxrwx - root root 1 Jan 1970 /etc/static/my-secret-file -> /nix/store/qkq0si3yr4zswgwlr87d6x472cs32425-etc-my-secret-file
ls -la /nix/store/qkq0si3yr4zswgwlr87d6x472cs32425-etc-my-secret-file
Permissions Size User Group Date Modified Name
.r--r--r-- 8 root root 1 Jan 1970 /nix/store/qkq0si3yr4zswgwlr87d6x472cs32425-etc-my-secret-file
Im currently using nixpkgs 24.05.
Two questions:
is this really desired? I can’t quite imagine that.
Maybe I don’t quite understand the meaning of /etc/static? What is it used for?
I have some zfs datasets that needs a key for decryption. I will definitely use agenix in the long run, but I wanted to test it now so I just used environment.etc.
The contents would still be in the Nix store which is world readable even if /etc permissions were different.
Files in the store can only have either 0444 or 0555 permission. /etc/static simply acts as a link farm to files in the store.
I thought when using environment.etc.<name>.mode the file gets actually copied and not symlinked from the store like its written in the description. Is it not the case?
Yes, but it’s copied from /etc/static, which points into the store, which can only record 0444 or 0555 perms.
Of course the destination file in /etc can have whatever perms, as it’s copied using this perl script, not nix.
That was the missing part. A little strange to me that everything is also readable in /etc/static but ok.
In the meantime I just used agenix and its working good so far.