Keyring isn't suid on nixos
Hi, I'm running nixos and my 1password-keyringhelper isn't suid.
so i get this error
[1P:foundation/op-linux/src/bin/keyring_helper.rs:150]
keyring helper detected it was not running as root. This could lead to credentials being compromised, aborting!
Permissions found: EUID: 1000, EGID: 100
I tried security.wrappers
security.wrappers = {
"1Password-KeyringHelper" = {
source = "${pkgs._1password-gui.out}/share/1password/1Password-KeyringHelper";
setuid = true;
group = "onepassword";
};
};
neither worked
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Nixos master
Sync Type: Not Provided
Comments
Team Member
Hey, @auscyber . This is a realm that I know I still need to research. My understanding was that, to support things like
security.wrappers, I would need to make some changes to the derivation file itself.Unfortunately, the NixOS filesystem may make it very difficult to support this feature. :frown: Even with the setuid bit, recent security audits have prompted us to tighten up things like file paths and ownership of more than just the 1Password executable. This makes me very unhappy, but it is very hard to verify the identity of any application on Linux, and we really don't want to have rogue processes just making a connection to an open 1Password session.
I'm not giving up at all, though. I run 1Password on a NixOS machine, and really miss the browser integration there.
pkgs.buildFHSUserEnv could work
Team Member
That's my guess, too. While it won't make it into the update that I need to send to Nixpkgs for 8.1.1, I'll try to prioritize it for our next stable release. I really like the feature and miss it on my NixOS machine.
Hey, I also tried to get 1Password with Keyring-Helper/System Authentication (have working fingerprinter with sudo/i3lock/i3lock-color) and Browser-Support working. I have another issue now where I don't know what to do:
Running just the Keyring-Helper e.g.:
More infos, nix-code and full log of 1Password-start in PR: https://github.com/NixOS/nixpkgs/pull/130652
Hope you can help me/us to solve this and bring full-featured 1password to one more distribution :+1:
Best Regards
Team Member
Hi, @SebTM. Thank you for building that module, as it got me over a significant hurdle in just approaching this problem. I've pulled your branch and am able to reproduce this on my machine, too.
Nothing is wrong with your module or the derivation (that I can see, so far, if we make progress we may find more problems...). Our executable verification process figures out the exact file path of the running process and checks the permissions on the file itself. I can see now where and why we're failing, and it looks like we didn't consider the possibility that write permission would be globally disabled.
I'm getting a new build and will try it out.
Thanks for your response and getting into it :) Really hope we will get this on the road :+1:
Team Member
Not a problem, thanks for your help @SebTM! :smile:
FYI: Updated PR to latest beta release, error still occurs, removed the seems unneeded wrapper for BrowserSupport but unsure if it's somehow connected with KeyringHelper as it is not unlocking browser-extension even there is no error in the logs...
I also did a cleanup and, rebase and applied feedback.
Team Member
Thanks for sharing, @SebTM! I'll make sure this gets passed along to @Savanni :smile:
Thanks for helping out @Dayton_ag :) I can also report the issue is still present with latest beta 8.2.0-56.BETA, there is also a new bug introduced compared to the beta-builds before - the tray-icon is still visible in i3wm but not responding on either left or right clicks :(
Hey, are there an news in supporting NixOS/is there a time frame?
Team Member
Hey again @SebTM 👋
Generally-speaking, we play our cards pretty close to the vest until we know we follow-through on something we've said we can do. Savanni is definitely interested in looking into what we can do for NixOS, but there isn't any additional news to share at this point in time.
Hey @Blake, thanks for the info - will wait for anything upcoming :)
Team Member
:) 👍
Hey, I'm really sad to see that nothing happens on this topic especially when there is community willingness/effort to help on which we simply can't do more at this state :(
Team Member
Hi, @SebTM . I'm really sorry for taking so long on this.
In the last couple of days, with things at work slowing down because of the winter vacations, I've been able to make some headway here. So I've been hammering away through some of this for a couple of days.
Right now, I have nothing I can ship to you. I can say that we will need to add 1Password-BrowserHelper as an SGID script. We potentially need to add 1Password-KeyringHelper as both SUID and SGID. Here's a snippet that I've added to my configuration.nix:
users.groups.onepassword.gid = 44399; security.wrappers = { "1Password-BrowserSupport" = { source = "${_1password-gui}/share/1password/1Password-BrowserSupport"; owner = "root"; group = "onepassword"; setuid = false; setgid = true; }; "1Password-KeyringHelper" = { source = "${_1password-gui}/share/1password/1Password-KeyringHelper"; owner = "root"; group = "onepassword"; setuid = true; setgid = true; }; };However, this is not enough. We make certain assumptions about where to find these executables inside 1Password, plus we run some other checks. I've resolved the filesystem limitations and am working through a few additional problems. However, I wouldn't be able to release anything until I consult with our security experts, and the true expert in this area of the code is already on vacation for the rest of the year.
Obviously we won't want users to have to enter the above code themselves. I'll probably go ahead and start building a Nix module that handles it while I'm on break, and then really finish it off once I can get the rest of the code working.
Again, I am sorry for taking so long. Thank you for your patience, and for pushing me.
Hey @Savanni,
thanks for your feedback, I appreciate your follow-up and efforts on this :+1: :-)
Let's stay in touch here/E-Mail me if you want (need testers) - I'm happy to help!
Best Regards
Team Member
@SebTM Hey, I wanted to let you know that I got this working last week, and that the above settings are the only ones that you'll need for NixOS. I just need a review from one particular security expert here at the company before we can merge it. Unfortunately, he was sick last week, but we can get this into the nightly builds as soon as he returns and checks my work.
@Savanni Thank you, that's awesome! I'm looking forward to hear when he is well again and has time to check :+1:
Team Member
@SebTM Hey, there! The necessary changes were released yesterday in 8.6.0-6.
I opened an MR that adds the module to NixOS, but there were some problems with it. I have some more experiments to do, which possibly involves overriding the install script. I do know that there is a change in our new betas that requires a change to the install script.
This is the MR I started with: https://github.com/NixOS/nixpkgs/pull/158670. I think the module is good, but I can't prove that when my package override doesn't work. I'll have to run the experiments, though, because I don't want to have to wait until the next stable release.
Hi @Savanni! Super excited to have first class 1pass support on my Nixos boxes. Let me know if there's anything that would be helpful on the nix/nixpkgs side of things. I package 1password for myself so I can update on demand, so I have a bit of experience in the "1password-nix connection" world.
Thank you so much again!
Team Member
Hi, @DAlperin . I'm 99% certain that the binary works since I have built and installed on a NixOS machine, and I think the problem is just going to be in the derivation currently in Nixpkgs. The strange thing that I'm seeing is that somehow, libudev is no longer findable.
The first thing I want to try is to extract the policykit instruction into postInstall. We've changed how that file gets generated in the 8.6 series. If I move it to postInstall in the 8.5 derivation, I'll be able to override it in the 8.6 beta derivation. Come to think of it, that's going to be a very simple change, so maybe I can MR it today.
After that, just need to evaluate the derivation itself to figure out why precisely libudev isn't being found.
None of this requires changes to the 1Password build itself, so I'd welcome help with troubleshooting if you have time. I'm deeply buried under a lot of other work.
@Savanni this might be a completely wrong (and definitely hacky) idea but what if you added this to the install script to bring libudev into scope specifically?
ln -s ${lib.getLib systemd}/lib/libudev.so $out/share/lib/libudev.so.0Do you mind sharing exactly what the libudev error is? (I can't quite afford to switch to the beta right now since I rely on 1password so heavily, I can probably spin up a vm later)
Team Member
Hey, @DAlperin. 8.6 is now stable and I have an pull request up to get the upgrade into NixOS unstable channel.
https://github.com/NixOS/nixpkgs/pull/164468
Additionally, I have a commit up, which depends on the 8.6 MR, that has browser integration mostly working (except for a bug where the browser isn't able to start 1password, but can delegate authentication to 1password if the desktop app has already been launched).
https://github.com/savannidgerinel/nixpkgs/tree/savanni/1password-browsersupport
At the moment, we're waiting for the first one to get reviewed and merged and then the second one is good to go.
Finally, I'm really sorry for leaving you hanging for so long. Somehow I never saw this message, which probably means that I mass deleted notifications at the wrong time.
No worries! I appreciate all the work you have put into it. I saw the 8.6 PR merged so I'm excited to see the module go upstream! Until then I'll pull your module locally and give it a go!
Not being able to start 1password from the browser is a small price to pay, having it work together once it's started is amazing. Maybe I'll delegate starting the 1password app to systemd so it will always be running.
I'll give it a try later today hopefully and let you know how it goes. Thank you so much again.
@Savanni it works! This is extremely exciting, thank you so much for all your work on this problem. This will improve my daily workflow exponentially. I'll keep thinking up a solution for the inability of the browser to start the 1password daemon, but like I said, that is nothing but an extremely minor inconvenience.
Is it ok if I reach out here if I find any bugs in my testing over the next few days?
Thank you so much again.
Team Member
Absolutely, and it is great to see it working for you! It's working for me, too, and it is definitely improving my life.
I am almost certain that somewhere in our code, we have hard-coded the path to the 1password executable. Probably not something you can fix from outside. I'll keep investigating, especially since I'll need to solve the this same problem for flatpak ASAP.
This might want to get documented somewhere, in order to make the polkit integration work I had to override the module package to
(pkgs._1password-gui.override ({ polkitPolicyOwners = ["dovalperin"]; }))which makes sense in retrospect but was momentarily confusing. Otherwise it is working perfectly so far!Hey Savanni,
I've checked out your PR and so far the browser integration is working fine :+1:
For system-integration like fingerprint-auth I see a shaking icon but noting in the cli-output or to report why it's not working:
INFO 2022-03-24T17:15:40.717 ThreadId(18) [client:typescript] Client starting. INFO 2022-03-24T17:15:40.786 tokio-runtime-worker(ThreadId(3)) [1P:native-messaging/op-native-core-integration/src/lib.rs:281] Starting IPC listener on 1Password-BrowserSupport INFO 2022-03-24T17:15:40.786 ThreadId(18) [1P:op-localization/src/lib.rs:186] system locale detected as 'en_US' INFO 2022-03-24T17:15:40.786 ThreadId(18) [1P:op-localization/src/lib.rs:212] selected translations for EN_US based on detected locale en-US INFO 2022-03-24T17:15:40.786 tokio-runtime-worker(ThreadId(3)) [1P:native-messaging/op-native-core-integration/src/lib.rs:293] Active native core integration is awaiting messages INFO 2022-03-24T17:15:40.786 ThreadId(18) [status:op-app/src/app.rs:325] App::new(1Password for Linux/80600076 (EN_US), /home/$USER/.config/1Password/1password.sqlite) INFO 2022-03-24T17:15:40.787 ThreadId(18) [1P:op-db/src/db.rs:120] Starting DB at version: 23 INFO 2022-03-24T17:15:40.788 ThreadId(18) [1P:ssh/op-ssh-config/src/lib.rs:206] agent not configured ERROR 2022-03-24T17:15:40.788 ThreadId(18) [1P:ffi/core-node/src/lib.rs:65] Attempted to notify uninitialized App INFO 2022-03-24T17:15:40.789 op_executor:invocation_loop(ThreadId(22)) [1P:native-messaging/op-nm-installer/src/nix_utils.rs:68] Created NMH manifest at /home/$USER/.config/google-chrome/NativeMessagingHosts/com.1password.1password.json INFO 2022-03-24T17:15:40.789 op_executor:invocation_loop(ThreadId(22)) [1P:native-messaging/op-nm-installer/src/nix_utils.rs:68] Created NMH manifest at /home/$USER/.config/google-chrome-beta/NativeMessagingHosts/com.1password.1password.json INFO 2022-03-24T17:15:40.789 op_executor:invocation_loop(ThreadId(22)) [1P:native-messaging/op-nm-installer/src/nix_utils.rs:68] Created NMH manifest at /home/$USER/.config/google-chrome-unstable/NativeMessagingHosts/com.1password.1password.json INFO 2022-03-24T17:15:40.789 op_executor:invocation_loop(ThreadId(22)) [1P:native-messaging/op-nm-installer/src/nix_utils.rs:68] Created NMH manifest at /home/$USER/.config/chromium/NativeMessagingHosts/com.1password.1password.json INFO 2022-03-24T17:15:40.789 op_executor:invocation_loop(ThreadId(22)) [1P:native-messaging/op-nm-installer/src/nix_utils.rs:68] Created NMH manifest at /home/$USER/.config/microsoft-edge-dev/NativeMessagingHosts/com.1password.1password.json INFO 2022-03-24T17:15:40.789 op_executor:invocation_loop(ThreadId(22)) [1P:native-messaging/op-nm-installer/src/nix_utils.rs:68] Created NMH manifest at /home/$USER/.config/BraveSoftware/Brave-Browser/NativeMessagingHosts/com.1password.1password.json INFO 2022-03-24T17:15:40.789 op_executor:invocation_loop(ThreadId(22)) [1P:native-messaging/op-nm-installer/src/nix_utils.rs:68] Created NMH manifest at /home/$USER/.config/vivaldi/NativeMessagingHosts/com.1password.1password.json INFO 2022-03-24T17:15:40.789 op_executor:invocation_loop(ThreadId(22)) [1P:native-messaging/op-nm-installer/src/nix_utils.rs:68] Created NMH manifest at /home/$USER/.config/vivaldi-snapshot/NativeMessagingHosts/com.1password.1password.json INFO 2022-03-24T17:15:40.789 op_executor:invocation_loop(ThreadId(22)) [1P:native-messaging/op-nm-installer/src/nix_utils.rs:68] Created NMH manifest at /home/$USER/.mozilla/native-messaging-hosts/com.1password.1password.json INFO 2022-03-24T17:15:40.789 op_executor:invocation_loop(ThreadId(22)) [1P:native-messaging/op-nm-installer/src/nix_utils.rs:83] Successfully installed all native messaging manifests. INFO 2022-03-24T17:15:40.790 tokio-runtime-worker(ThreadId(16)) [1P:ssh/op-agent-controller/src/desktop.rs:285] SSH Agent has started. [450618:0324/171540.856969:ERROR:sandbox_linux.cc(377)] InitializeSandbox() called with multiple threads in process gpu-process. WARN 2022-03-24T17:15:41.055 op_executor:invocation_loop(ThreadId(22)) [1P:foundation/op-linux/src/kernel_keyring.rs:817] failed to initialize keyring helper, its functionality will be unavailable: Io(Error { kind: UnexpectedEof, message: "failed to fill whole buffer" }) INFO 2022-03-24T17:16:22.227 tokio-runtime-worker(ThreadId(8)) [1P:op-data-layer/src/load.rs:136] loaded 727 items in 11 vaults for account: xxx INFO 2022-03-24T17:16:22.233 op_executor:invocation_loop(ThreadId(22)) [1P:op-app/src/app/backend/unlock.rs:80] Lock state changed: Unlocked INFO 2022-03-24T17:16:23.662 tokio-runtime-worker(ThreadId(3)) [1P:op-syncer/src/sync_job.rs:276] synced account xxx (0.173358516s) INFO 2022-03-24T17:16:23.663 tokio-runtime-worker(ThreadId(3)) [1P:op-data-layer/src/file.rs:608] find_and_complete_pending_uploads: 'xxx' INFO 2022-03-24T17:16:24.167 tokio-runtime-worker(ThreadId(16)) [1P:op-data-layer/src/sync.rs:512] The B5 Notifier for (xxx) has connected, now monitoring for events. INFO 2022-03-24T17:16:25.927 op_executor:invocation_loop(ThreadId(22)) [1P:op-app/src/app/backend/lock.rs:72] Lock state changed: Locked INFO 2022-03-24T17:16:25.928 op_executor:invocation_loop(ThreadId(22)) [1P:op-app/src/app/backend/lock.rs:94] Locked. Reason: Manual.Thanks for keeping up, I'm happy to see this in NixOS soon :)
Best wishes and stay safe :+1
Edit: Two little findings not related to this maybe you can tell me where to place them/forward them:
Is there a reason I loose my right click menu on the tray Icon when I enable Quick-Access on left click?
Is the nesting of the three dot menu (see screenshot) intended? (its not nice to use I would say :D)
Edit 2: I tried to use the new ssh-feature and it seems to be also not working? for me at least (using the 8.6 release from your PR) there is is a socket showing up in users-".1password" directory:
"srw------- 0 sebtm 24 Mar 17:39 /home/sebtm/.1password/agent.sock"
but when I connect via ssh somewhere I'm not offered anything by 1Password (which is running) an see "Permission denied (publickey)." (like without a key)
I tried to interact with the socket with netcat/socat but I don't get any responses/see anything from there. In the logs I found:
ERROR 2022-03-24T17:41:11.143 tokio-runtime-worker(ThreadId(2)) [1P:native-messaging/op-native-core-integration/src/connection_handler.rs:60] message from b5x was None: EndConnection ERROR 2022-03-24T17:41:11.143 tokio-runtime-worker(ThreadId(2)) [1P:native-messaging/op-native-core-integration/src/connection_handler.rs:31] Dropping connection with b5x due to error handling incoming message: EndConnection INFO 2022-03-24T17:41:17.773 tokio-runtime-worker(ThreadId(2)) [1P:ui/op-settings-ui/src/save.rs:792] Error parsing Keyboard Shortcut: Keyboard Shortcut: Control + ControlLeft [] INFO 2022-03-24T17:41:18.243 tokio-runtime-worker(ThreadId(2)) [1P:ui/op-settings-ui/src/save.rs:792] Error parsing Keyboard Shortcut: Keyboard Shortcut: Control + Shift + ShiftLeft [] INFO 2022-03-24T17:41:18.745 ThreadId(18) [client:typescript] Settings file changed. INFO 2022-03-24T17:41:29.756 op_executor:invocation_loop(ThreadId(22)) [1P:op-app/src/app/backend/frontend.rs:24] Front end event: window closed INFO 2022-03-24T17:42:25.652 tokio-runtime-worker(ThreadId(16)) [1P:native-messaging/op-native-core-integration/src/lib.rs:305] Extension connecting. INFO 2022-03-24T17:42:25.652 tokio-runtime-worker(ThreadId(16)) [1P:native-messaging/op-native-core-integration/src/lib.rs:307] Extension connection accepted. WARN 2022-03-24T17:57:55.971 tokio-runtime-worker(ThreadId(4)) [1P:ssh/op-ssh-agent/src/lib.rs:252] failed to receive agent request (Io(Io { kind: Other, inner: "<redacted>" })), replying with SSH_AGENT_FAILURE WARN 2022-03-24T17:57:55.971 tokio-runtime-worker(ThreadId(4)) [1P:ssh/op-ssh-agent/src/lib.rs:261] failed to receive agent request(Io(Os { code: 32, kind: BrokenPipe, message: "Broken pipe" })), dropping clientI have also some recurring errors/logs with just one line created:
INFO 2022-03-24T17:24:11.717 ThreadId(18) [client:typescript] 1Password is already running, closing.(I guess when I open it via rofi when in tray)But all in all, I'm sure we will find solutions for it and get 1Password one better ;)