Environment.etc setting mode creates file in /etc/static with wrong mode

Hello everyone,

I have noticed that when I write a file via environment.etc in /etc and specify a mode, the same file is created in /etc/static but with read permissions for all.

Now I have a usecase that I want to put a file in /etc that can only be read by root. However, anyone can now read this file in /etc/static.

  environment.etc."my-secret-file" = {
    text = "MySecret";
    mode = "0600";
  };
cat /etc/my-secret-file
cat: /etc/my-secret-file: Permission denied
cat /etc/static/my-secret-file
MySecret
ls -la /etc/my-secret-file
Permissions Size User Group Date Modified Name
.rw-------     8 root root  22 Sep 12:16  /etc/my-secret-file
ls -la /etc/static/my-secret-file
Permissions Size User Group Date Modified Name
lrwxrwxrwx     - root root   1 Jan  1970  /etc/static/my-secret-file -> /nix/store/qkq0si3yr4zswgwlr87d6x472cs32425-etc-my-secret-file
ls -la  /nix/store/qkq0si3yr4zswgwlr87d6x472cs32425-etc-my-secret-file
Permissions Size User Group Date Modified Name
.r--r--r--     8 root root   1 Jan  1970  /nix/store/qkq0si3yr4zswgwlr87d6x472cs32425-etc-my-secret-file

Im currently using nixpkgs 24.05.

Two questions:

  1. is this really desired? I can’t quite imagine that.
  2. Maybe I don’t quite understand the meaning of /etc/static? What is it used for?

Thanks for your help!

What problem are you trying to solve?

The contents would still be in the Nix store which is world readable even if /etc permissions were different.

1 Like

Files in the store can only have either 0444 or 0555 permission. /etc/static simply acts as a link farm to files in the store.

What problem are you trying to solve?

I have some zfs datasets that needs a key for decryption. I will definitely use agenix in the long run, but I wanted to test it now so I just used environment.etc.

The contents would still be in the Nix store which is world readable even if /etc permissions were different.

Files in the store can only have either 0444 or 0555 permission. /etc/static simply acts as a link farm to files in the store.

I thought when using environment.etc.<name>.mode the file gets actually copied and not symlinked from the store like its written in the description. Is it not the case?

Yes, but it’s copied from /etc/static, which points into the store, which can only record 0444 or 0555 perms.
Of course the destination file in /etc can have whatever perms, as it’s copied using this perl script, not nix.

That was the missing part. A little strange to me that everything is also readable in /etc/static but ok.
In the meantime I just used agenix and its working good so far.

Thanks for help!