Secrets owned by non-root users are no longer readable by that user

[chvp]

Since 0.10 / #27

Relevant namei -l output:

drwxr-xr-x root root /
drwxr-xr-x root root run
lrwxrwxrwx root root agenix -> /run/agenix.d/2
drwxr-xr-x root root   /
drwxr-xr-x root root   run
drwxr-x--- root keys   agenix.d
                       2 - Permission denied

Even if I set symlink = false this doesn't work, since even if the secrets are decrypted to /run/agenix, they are actually decrypted to /run/agenix.d/2, since /run/agenix is already a symlink to /run/agenix.d/2 at that point. (Which kind of defeats the point of symlink = false IIUC. Maybe this should be a separate issue?)

I can add the relevant user(s) to the keys group to fix this behaviour, but this is not documented anywhere.

[ryantm]

Thanks for the report! I've confirmed this is a problem for me too with:

  age.secrets.test-user-file = {
    owner = "ryantm";
    group = "users";
    file = ../secrets/test-user-file.age;
  };

$ sudo ls -la /run/agenix/
total 16
drwxr-x--- 2 root   keys     0 Nov 20 12:03 .
drwxr-x--- 3 root   keys     0 Nov 20 12:03 ..
-r-------- 1 ryantm users   12 Nov 20 12:03 test-user-file

[ryantm@home2:~/p/nixfiles]$ sudo ls -la /run/agenix.d/3
total 16
drwxr-x--- 2 root   keys     0 Nov 20 12:03 .
drwxr-x--- 3 root   keys     0 Nov 20 12:03 ..
-r-------- 1 ryantm users   12 Nov 20 12:03 test-user-file

$ whoami
ryantm

$ cat /run/agenix/test-user-file
cat: /run/agenix/test-user-file: Permission denied

cc @cole-h

[ryantm]

If I change permissions with:

chmod o+x /run/agenix.d
chmod o+x /run/agenix.d/3

then it works.

[ryantm]

Looks like 751 is what sops-nix uses https://github.com/Mic92/sops-nix/blob/3c53d012ac77d4bd8428f9c847709e287c897ad9/pkgs/sops-install-secrets/main.go#L312

[cole-h]

Ah, this was not an issue for me since my user is in the keys group. Sorry about that! 🙇

[ryantm]

Released https://github.com/ryantm/agenix/releases/tag/0.10.1 to fix this. Thanks again.

[cole-h]

Even if I set symlink = false this doesn't work, since even if the secrets are decrypted to /run/agenix, they are actually decrypted to /run/agenix.d/2, since /run/agenix is already a symlink to /run/agenix.d/2 at that point. (Which kind of defeats the point of symlink = false IIUC. Maybe this should be a separate issue?)

If you set symlink = false;, the idea is that you also set the path to where the secret should be located. So your secret would look like:

{
  age.secrets.test = {
    path = "/var/lib/some/path/that/cannot/be/a/symlink";
    symlink = false;
  };
}

And then your secret will be decrypted to /var/lib/some/path/that/cannot/be/a/symlink.

Secrets are decrypted to "${config.age.secrets.<secret>.path}.tmp", as you can see in these places:

agenix/modules/age.nix

Line 22 in 4fefd7c

_truePath="${secretType.path}"

agenix/modules/age.nix

Line 25 in 4fefd7c

TMP_FILE="$_truePath.tmp"

agenix/modules/age.nix

Line 30 in 4fefd7c

LANG=${config.i18n.defaultLocale} ${ageBin} --decrypt ${identities} -o "$TMP_FILE" "${secretType.file}"

agenix/modules/age.nix

Line 34 in 4fefd7c

mv -f "$TMP_FILE" "$_truePath"

But the default path is /run/agenix/<secret>.