Author: eelco
Date: Tue Mar 27 14:51:08 2012
New Revision: 33442
URL: https://nixos.org/websvn/nix/?rev=33442&sc=1
Log:
* Blackhole the address 169.254.169.254 after we've obtained the user
data to prevent non-root processes from getting the private host
key.
Modified:
nixos/trunk/modules/virtualisation/ec2-data.nix
Modified: nixos/trunk/modules/virtualisation/ec2-data.nix
==============================================================================
--- nixos/trunk/modules/virtualisation/ec2-data.nix Tue Mar 27 14:35:45
2012 (r33441)
+++ nixos/trunk/modules/virtualisation/ec2-data.nix Tue Mar 27 14:51:08
2012 (r33442)
@@ -15,10 +15,12 @@
task = true;
- path = [ pkgs.curl ];
+ path = [ pkgs.curl pkgs.iproute ];
script =
''
+ ip route del blackhole 169.254.169.254/32 || true
+
curl="curl --retry 3 --retry-delay 0 --fail"
echo "setting host name..."
@@ -53,6 +55,10 @@
(umask 077; echo "$key" > /etc/ssh/ssh_host_dsa_key)
echo "$key_pub" > /etc/ssh/ssh_host_dsa_key.pub
fi
+
+ # Since the user data is sensitive, prevent it from being
+ # accessed from now on.
+ ip route add blackhole 169.254.169.254/32
'';
};
_______________________________________________
nix-commits mailing list
[email protected]
http://lists.science.uu.nl/mailman/listinfo/nix-commits
