Keyring isn't suid on nixos

Hi, I'm running nixos and my 1password-keyringhelper isn't suid.
so i get this error

[1P:foundation/op-linux/src/bin/keyring_helper.rs:150]
                keyring helper detected it was not running as root. This could lead to credentials being compromised, aborting!
                Permissions found: EUID: 1000, EGID: 100

I tried security.wrappers

security.wrappers = {
   "1Password-KeyringHelper"  = {
      source = "${pkgs._1password-gui.out}/share/1password/1Password-KeyringHelper";
      setuid = true;
      group = "onepassword";
    };
  };

neither worked


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Nixos master
Sync Type: Not Provided

Comments

  • SavanniSavanni

    Team Member

    Hey, @auscyber . This is a realm that I know I still need to research. My understanding was that, to support things like security.wrappers, I would need to make some changes to the derivation file itself.

    Unfortunately, the NixOS filesystem may make it very difficult to support this feature. :frown: Even with the setuid bit, recent security audits have prompted us to tighten up things like file paths and ownership of more than just the 1Password executable. This makes me very unhappy, but it is very hard to verify the identity of any application on Linux, and we really don't want to have rogue processes just making a connection to an open 1Password session.

    I'm not giving up at all, though. I run 1Password on a NixOS machine, and really miss the browser integration there.

  • pkgs.buildFHSUserEnv could work

  • SavanniSavanni

    Team Member

    That's my guess, too. While it won't make it into the update that I need to send to Nixpkgs for 8.1.1, I'll try to prioritize it for our next stable release. I really like the feature and miss it on my NixOS machine.

  • SebTMSebTM
    edited July 19

    Hey, I also tried to get 1Password with Keyring-Helper/System Authentication (have working fingerprinter with sudo/i3lock/i3lock-color) and Browser-Support working. I have another issue now where I don't know what to do:

    Running just the Keyring-Helper e.g.:

    INFO 2021-07-19T20:36:34.911 main(ThreadId(1)) [1P:foundation/op-linux/src/bin/keyring_helper.rs:144] initalizing keyring helper
    WARN 2021-07-19T20:36:35.180 main(ThreadId(1)) [1P:foundation/op-sys-info/src/process_verification.rs:124] binary permission verification failed for /nix/store/6krkl5ka31qd8ll1801w5z32cbm6k838-1password-8.1.2-10.BETA/share/1password/1Password-KeyringHelper2
    ERROR 2021-07-19T20:36:35.182 main(ThreadId(1)) [1P:foundation/op-linux/src/bin/keyring_helper.rs:174] failed to verify keyring helper process permissions, aborting: BinaryPermissions

    More infos, nix-code and full log of 1Password-start in PR: https://github.com/NixOS/nixpkgs/pull/130652

    Hope you can help me/us to solve this and bring full-featured 1password to one more distribution :+1:

    Best Regards

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file