[Nix-dev] [PATCH] authorized_keys in users.extraUsers
Rickard Nilsson
rickard.nilsson at telia.com
Tue Oct 18 14:01:42 CEST 2011
Den 2011-10-18 11:00:25 skrev Marc Weber <marco-oweber at gmx.de>:
> Excerpts from Rickard Nilsson's message of Tue Oct 18 07:48:46 +0200
> 2011:
>> As long as authorized_keys isn't world-writeable, there isn't anything
>> particular sensitive about it. If the file exists, the activation
>> script should not mess with the owner or permissions. If it doesn't
>> exist the owner should be set to the concerned user, and permissions
>> to 644. One could also imagine the possibility to specify
>> owner/permissions in configuration.nix, but if you go down that road
>> it might make more sense to let Nix control authorized_keys
>> completely, and make proper builds of it in the store.
>
> Just want to say: I'm glad there is nix-store --check-contents. Running
> that I know that everything is still fine (and that I didn't got
> hacked). That's I'd prefer such check for some user accounts as well.
> If the system checks it I don't have to .. But generating such a script
> doing the check is trivial - so it may be OT.
Of course, a crontab check of the authorized_keys files would be useful.
I might look into setting up something like that when I have implemented
the file generation properly itself.
/ Rickard
>
> Marc Weber
> _______________________________________________
> nix-dev mailing list
> nix-dev at lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
More information about the nix-dev
mailing list