-
Notifications
You must be signed in to change notification settings - Fork 117
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Secrets owned by non-root users are no longer readable by that user #69
Comments
Thanks for the report! I've confirmed this is a problem for me too with:
cc @cole-h |
If I change permissions with:
then it works. |
Looks like 751 is what sops-nix uses https://github.com/Mic92/sops-nix/blob/3c53d012ac77d4bd8428f9c847709e287c897ad9/pkgs/sops-install-secrets/main.go#L312 |
Ah, this was not an issue for me since my user is in the |
Released https://github.com/ryantm/agenix/releases/tag/0.10.1 to fix this. Thanks again. |
If you set {
age.secrets.test = {
path = "/var/lib/some/path/that/cannot/be/a/symlink";
symlink = false;
};
} And then your secret will be decrypted to Secrets are decrypted to Line 22 in 4fefd7c
Line 25 in 4fefd7c
Line 30 in 4fefd7c
Line 34 in 4fefd7c
But the default path is |
Since 0.10 / #27
Relevant
namei -l
output:Even if I set
symlink = false
this doesn't work, since even if the secrets are decrypted to/run/agenix
, they are actually decrypted to/run/agenix.d/2
, since/run/agenix
is already a symlink to/run/agenix.d/2
at that point. (Which kind of defeats the point ofsymlink = false
IIUC. Maybe this should be a separate issue?)I can add the relevant user(s) to the
keys
group to fix this behaviour, but this is not documented anywhere.The text was updated successfully, but these errors were encountered: