Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

permissions are too open #103

Closed
lxl66566 opened this issue Sep 19, 2024 · 8 comments · Fixed by #106
Closed

permissions are too open #103

lxl66566 opened this issue Sep 19, 2024 · 8 comments · Fixed by #106

Comments

@lxl66566
Copy link 

Failed to start dae.service
warning: the following units failed: dae.service
× dae.service - dae Service
     Loaded: loaded (/etc/systemd/system/dae.service; enabled; preset: enabled)
    Drop-In: /nix/store/6ypvpgzv82cjvk5gbsii5jj5wq1r1g9g-system-units/dae.service.d
             └─overrides.conf
     Active: failed (Result: exit-code) since Thu 2024-09-19 20:05:48 CST; 277ms ago
 Invocation: 176b2296f1f54b80b8802dafe58525ab
       Docs: https://github.com/daeuniverse/dae
    Process: 111225 ExecStartPre=/nix/store/940w4mbmxrryv3bil0200ypj6h71ca0m-dae-v0.7.1/bin/dae validate -c /nix/store/zzpamv0kdgii82pabzqz61afhib8fd7r-absx.dae (code=exited, status=1/FAILURE)
         IP: 0B in, 0B out
   Mem peak: 143.1M
        CPU: 892ms

9月 19 20:05:47 absx systemd[1]: Starting dae Service...
9月 19 20:05:48 absx dae[111225]: permissions 0444 for '/nix/store/zzpamv0kdgii82pabzqz61afhib8fd7r-absx.dae' are too open; requires the file is NOT writable by the same group and NOT accessible by others; suggest 0640 or 0600
9月 19 20:05:48 absx systemd[1]: dae.service: Control process exited, code=exited, status=1/FAILURE
9月 19 20:05:48 absx systemd[1]: dae.service: Failed with result 'exit-code'.
9月 19 20:05:48 absx systemd[1]: Failed to start dae Service.
9月 19 20:05:48 absx systemd[1]: dae.service: Consumed 892ms CPU time, 143.1M memory peak.
warning: error(s) occurred while switching to the new configuration

my config:

services.dae = {
  enable = true;
  configFile = ./config/absx.dae;
  assets = with pkgs; [
    v2ray-geoip
    v2ray-domain-list-community
  ];
};

permission of configFile:

Permissions  Size User Date Modified    Git Name
.rw-r--r--   13Ki absx 2024-09-19 19:56  NM absx.dae

(change this in /etc/nixos will not affect that in /nix/store)
@dae-prow
Copy link
Contributor

dae-prow bot commented Sep 19, 2024

Thanks for opening this issue!

@oluceps
Copy link
Contributor

oluceps commented Sep 20, 2024

configFile = ./config/absx.dae;

This is an anti-pattern since it stores your dae config file into nix store with global-readable permission. Please use the absolute path string as example shows.

This was referenced Sep 20, 2024
Closed
Merged
@oluceps oluceps linked a pull request Sep 21, 2024 that will close this issue
chore(dae): refine configFile type #106
Merged
@solitudealma
Copy link

why it happen again when i use str ab path

@oluceps
Copy link
Contributor

oluceps commented Oct 8, 2024

why it happen again when i use str ab path

How do you configure it?

@oluceps
Copy link
Contributor

oluceps commented Oct 8, 2024

why it happen again when i use str ab path

If so it might be a literally permission too open issue. exec stat /path/to/daeconfig and check if the permission met requirement.

@solitudealma
Copy link

solitudealma commented Oct 8, 2024
edited
Loading 

{
  config,
  inputs,
  lib,
  pkgs,
  ...
}: {
  environment.systemPackages = with inputs.daeuniverse.packages.x86_64-linux;
    lib.optionals config.services.daed.enable [
      dae
      daed
    ];

  services.dae = {
    disableTxChecksumIpGeneric = false;
    enable = true;
    openFirewall = {
      enable = true;
      port = 12345;
    };

    configFile = "/home/solitudealma/nixos-config/nixos/_mixins/configs/dae/config.dae";
    assets = with pkgs; [v2ray-geoip v2ray-domain-list-community];
  };

  services.daed = {
    assetsPaths = with pkgs; [
      "${v2ray-geoip}/share/v2ray/geoip.dat"
      "${v2ray-domain-list-community}/share/v2ray/geosite.dat"
    ];
    configDir = "/home/solitudealma/nixos-config/nixos/_mixins/configs/dae";
    enable = true;
    openFirewall = {
      enable = true;
      port = 12345;
    };
  };

  # manual launch(geoip.dat,geosite.dat,config.dae needs to be in the same directory):
  # `wget https://cdn.jsdelivr.net/gh/Loyalsoldier/geoip@release/geoip.dat`
  # `wget wget https://cdn.jsdelivr.net/gh/Loyalsoldier/v2ray-rules-dat@release/geosite.dat`
  # `dae run --disable-timestamp -c /path/to/config.dae`
}

err:

permissions 0644 for '/home/solitudealma/nixos-config/nixos/_mixins/configs/dae/config.dae' are too open; requires the file is NOT writable by the same group and NOT accessible by others; suggest 0640 or 0600

@oluceps
Copy link
Contributor

oluceps commented Oct 10, 2024 

err:

permissions 0644 for '/home/solitudealma/nixos-config/nixos/_mixins/configs/dae/config.dae' are too open; requires the file is NOT writable by the same group and NOT accessible by others; suggest 0640 or 0600

Set permission just solve this.

chmod 640 /home/solitudealma/nixos-config/nixos/_mixins/configs/dae/config.dae

Since we have no way to check the file permission at eval time. The file permission too open, as it reported at runtime.

@solitudealma
Copy link

thx

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore(dae): refine configFile type daeuniverse/flake.nix
3 participants
@oluceps @solitudealma @lxl66566