Keyring isn't suid on nixos

Hi, I'm running nixos and my 1password-keyringhelper isn't suid.
so i get this error

[1P:foundation/op-linux/src/bin/keyring_helper.rs:150]
                keyring helper detected it was not running as root. This could lead to credentials being compromised, aborting!
                Permissions found: EUID: 1000, EGID: 100

I tried security.wrappers

security.wrappers = {
   "1Password-KeyringHelper"  = {
      source = "${pkgs._1password-gui.out}/share/1password/1Password-KeyringHelper";
      setuid = true;
      group = "onepassword";
    };
  };

neither worked


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Nixos master
Sync Type: Not Provided

Comments

  • SavanniSavanni

    Team Member

    Hey, @auscyber . This is a realm that I know I still need to research. My understanding was that, to support things like security.wrappers, I would need to make some changes to the derivation file itself.

    Unfortunately, the NixOS filesystem may make it very difficult to support this feature. :frown: Even with the setuid bit, recent security audits have prompted us to tighten up things like file paths and ownership of more than just the 1Password executable. This makes me very unhappy, but it is very hard to verify the identity of any application on Linux, and we really don't want to have rogue processes just making a connection to an open 1Password session.

    I'm not giving up at all, though. I run 1Password on a NixOS machine, and really miss the browser integration there.

  • pkgs.buildFHSUserEnv could work

  • SavanniSavanni

    Team Member

    That's my guess, too. While it won't make it into the update that I need to send to Nixpkgs for 8.1.1, I'll try to prioritize it for our next stable release. I really like the feature and miss it on my NixOS machine.

  • SebTMSebTM
    edited July 19

    Hey, I also tried to get 1Password with Keyring-Helper/System Authentication (have working fingerprinter with sudo/i3lock/i3lock-color) and Browser-Support working. I have another issue now where I don't know what to do:

    Running just the Keyring-Helper e.g.:

    INFO 2021-07-19T20:36:34.911 main(ThreadId(1)) [1P:foundation/op-linux/src/bin/keyring_helper.rs:144] initalizing keyring helper
    WARN 2021-07-19T20:36:35.180 main(ThreadId(1)) [1P:foundation/op-sys-info/src/process_verification.rs:124] binary permission verification failed for /nix/store/6krkl5ka31qd8ll1801w5z32cbm6k838-1password-8.1.2-10.BETA/share/1password/1Password-KeyringHelper2
    ERROR 2021-07-19T20:36:35.182 main(ThreadId(1)) [1P:foundation/op-linux/src/bin/keyring_helper.rs:174] failed to verify keyring helper process permissions, aborting: BinaryPermissions

    More infos, nix-code and full log of 1Password-start in PR: https://github.com/NixOS/nixpkgs/pull/130652

    Hope you can help me/us to solve this and bring full-featured 1password to one more distribution :+1:

    Best Regards

  • SavanniSavanni

    Team Member

    Hi, @SebTM. Thank you for building that module, as it got me over a significant hurdle in just approaching this problem. I've pulled your branch and am able to reproduce this on my machine, too.

    Nothing is wrong with your module or the derivation (that I can see, so far, if we make progress we may find more problems...). Our executable verification process figures out the exact file path of the running process and checks the permissions on the file itself. I can see now where and why we're failing, and it looks like we didn't consider the possibility that write permission would be globally disabled.

    I'm getting a new build and will try it out.

  • Thanks for your response and getting into it :) Really hope we will get this on the road :+1:

  • Dayton_agDayton_ag

    Team Member

    Not a problem, thanks for your help @SebTM! :smile:

  • FYI: Updated PR to latest beta release, error still occurs, removed the seems unneeded wrapper for BrowserSupport but unsure if it's somehow connected with KeyringHelper as it is not unlocking browser-extension even there is no error in the logs...

    I also did a cleanup and, rebase and applied feedback.

  • Dayton_agDayton_ag

    Team Member

    Thanks for sharing, @SebTM! I'll make sure this gets passed along to @Savanni :smile:

  • Thanks for helping out @Dayton_ag :) I can also report the issue is still present with latest beta 8.2.0-56.BETA, there is also a new bug introduced compared to the beta-builds before - the tray-icon is still visible in i3wm but not responding on either left or right clicks :(

  • Hey, are there an news in supporting NixOS/is there a time frame?

  • BlakeBlake

    Team Member

    Hey again @SebTM 👋

    Generally-speaking, we play our cards pretty close to the vest until we know we follow-through on something we've said we can do. Savanni is definitely interested in looking into what we can do for NixOS, but there isn't any additional news to share at this point in time.

  • Hey @Blake, thanks for the info - will wait for anything upcoming :)

  • BlakeBlake

    Team Member

    :) 👍

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file