iodine: improve password handling (#58806)

Before this change, only passwords not containing shell metacharacters could be used, and because the password was passed as a command-line argument, local users could (in a very small window of time) record the password and (in an indefinity window of time) record the length of the password. We also use the opportunity to add a call to `exec` in the systemd start script, so that no shell needs to hang around waiting for iodine to stop.
author: Ingo Blechschmidt <iblech@web.de> 2019-04-08 21:20:26 +0200
committer: xeji <36407913+xeji@users.noreply.github.com> 2019-04-08 21:20:26 +0200
commit: efff2e1aa64d40aae760bff5363d2e1713e3bb7b (patch)
tree: f5a567cf1a8f4c8eb794ae720587815ecf119bb4 /nixos/modules/services/networking/iodine.nix
parent: 67c5d04fee100d660c33f7ae8e931b597edb916e (diff)
1 files changed, 4 insertions, 4 deletions
diff --git a/nixos/modules/services/networking/iodine.nix b/nixos/modules/services/networking/iodine.nix
index 58ad0df4ff20..344f84374bbd 100644
--- a/nixos/modules/services/networking/iodine.nix
+++ b/nixos/modules/services/networking/iodine.nix
@@ -63,7 +63,7 @@ in
             passwordFile = mkOption {
               type = types.str;
               default = "";
-              description = "File that containts password";
+              description = "File that contains password";
             };
           };
         }));
@@ -100,7 +100,7 @@ in
         passwordFile = mkOption {
           type = types.str;
           default = "";
-          description = "File that containts password";
+          description = "File that contains password";
         };
       };
 
@@ -120,7 +120,7 @@ in
         description = "iodine client - ${name}";
         after = [ "network.target" ];
         wantedBy = [ "multi-user.target" ];
-        script = "${pkgs.iodine}/bin/iodine -f -u ${iodinedUser} ${cfg.extraConfig} ${optionalString (cfg.passwordFile != "") "-P $(cat \"${cfg.passwordFile}\")"} ${cfg.relay} ${cfg.server}";
+        script = "exec ${pkgs.iodine}/bin/iodine -f -u ${iodinedUser} ${cfg.extraConfig} ${optionalString (cfg.passwordFile != "") "< \"${cfg.passwordFile}\""} ${cfg.relay} ${cfg.server}";
         serviceConfig = {
           RestartSec = "30s";
           Restart = "always";
@@ -136,7 +136,7 @@ in
         description = "iodine, ip over dns server daemon";
         after = [ "network.target" ];
         wantedBy = [ "multi-user.target" ];
-        script = "${pkgs.iodine}/bin/iodined -f -u ${iodinedUser} ${cfg.server.extraConfig} ${optionalString (cfg.server.passwordFile != "") "-P $(cat \"${cfg.server.passwordFile}\")"} ${cfg.server.ip} ${cfg.server.domain}";
+        script = "exec ${pkgs.iodine}/bin/iodined -f -u ${iodinedUser} ${cfg.server.extraConfig} ${optionalString (cfg.server.passwordFile != "") "< \"${cfg.server.passwordFile}\""} ${cfg.server.ip} ${cfg.server.domain}";
       };
     };
author	Ingo Blechschmidt <iblech@web.de>	2019-04-08 21:20:26 +0200
committer	xeji <36407913+xeji@users.noreply.github.com>	2019-04-08 21:20:26 +0200
commit	efff2e1aa64d40aae760bff5363d2e1713e3bb7b (patch)
tree	f5a567cf1a8f4c8eb794ae720587815ecf119bb4 /nixos/modules/services/networking/iodine.nix
parent	67c5d04fee100d660c33f7ae8e931b597edb916e (diff)