From e0f2f7f9eadadab6d464ea63ab4dda04fe075d75 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B8rn=20Forsman?= Date: Tue, 12 Jul 2022 09:03:29 +0200 Subject: [PATCH] nixos/ddclient: don't leak password in process listings ...by using `replace-secret` instead of `sed` when injecting the password into the ddclient config file. (Verified with `execsnoop`.) Ref https://github.com/NixOS/nixpkgs/issues/156400. --- nixos/modules/services/networking/ddclient.nix | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/nixos/modules/services/networking/ddclient.nix b/nixos/modules/services/networking/ddclient.nix index faee99b175eb..43a50af8f9b5 100644 --- a/nixos/modules/services/networking/ddclient.nix +++ b/nixos/modules/services/networking/ddclient.nix @@ -13,7 +13,7 @@ let foreground=YES use=${cfg.use} login=${cfg.username} - password=${lib.optionalString (cfg.protocol == "nsupdate") "/run/${RuntimeDirectory}/ddclient.key"} + password=${if cfg.protocol == "nsupdate" then "/run/${RuntimeDirectory}/ddclient.key" else "@password_placeholder@"} protocol=${cfg.protocol} ${lib.optionalString (cfg.script != "") "script=${cfg.script}"} ${lib.optionalString (cfg.server != "") "server=${cfg.server}"} @@ -33,10 +33,9 @@ let ${lib.optionalString (cfg.configFile == null) (if (cfg.protocol == "nsupdate") then '' install ${cfg.passwordFile} /run/${RuntimeDirectory}/ddclient.key '' else if (cfg.passwordFile != null) then '' - password=$(printf "%q" "$(head -n 1 "${cfg.passwordFile}")") - sed -i "s|^password=$|password=$password|" /run/${RuntimeDirectory}/ddclient.conf + "${pkgs.replace-secret}/bin/replace-secret" "@password_placeholder@" "${cfg.passwordFile}" "/run/${RuntimeDirectory}/ddclient.conf" '' else '' - sed -i '/^password=$/d' /run/${RuntimeDirectory}/ddclient.conf + sed -i '/^password=@password_placeholder@$/d' /run/${RuntimeDirectory}/ddclient.conf '')} '';