On Sat, Dec 04, 2021 at 04:47:12PM -0600, Nathan Dehnel wrote: > https://guix.gnu.org/manual/en/html_node/G_002dExpressions.html > This says to set #:recursive? #t and guix will preserve its > permissions in the store. I have done this: > > (define guixrig_host_rsa_key > (local-file "ssh/guixrig_host_rsa_key" #:recursive? #t)) > > The file this expression puts in the store has permissions of 444, > despite the original being 400. How do I prevent guix from changing > permissions, or manually override them?
In general, the store cannot be used to store secrets. By design, everything in the store is made world-readable despite what permissions are set, for example in a package definition. I'm not sure if that's documented in the manual; I don't see it in the manual section The Store [1]. I'm not sure exactly what code ensures that everything in the store is readable, but it's probably somewhere in the daemon [0], which is what writes to the store [1]. The question of how to handle secrets in Guix has been discussed many times over the years and there are some solutions in various services; maybe there is a canonical solution now. But basically the idea is to store the secret outside of the store, like in /etc, as defined in a service configuration in config.scm. Hopefully some other people can join the conversation with more specific advice. [0] https://git.savannah.gnu.org/cgit/guix.git/tree/nix?h=v1.3.0 [1] I'd guess that canonicaliseTimestampAndPermissions is always called: https://guix.gnu.org/manual/en/html_node/The-Store.html
