Keyring isn't suid on nixos

auscyber
auscyber
Community Member

Hi, I'm running nixos and my 1password-keyringhelper isn't suid.
so i get this error

[1P:foundation/op-linux/src/bin/keyring_helper.rs:150]
                keyring helper detected it was not running as root. This could lead to credentials being compromised, aborting!
                Permissions found: EUID: 1000, EGID: 100

I tried security.wrappers

security.wrappers = {
   "1Password-KeyringHelper"  = {
      source = "${pkgs._1password-gui.out}/share/1password/1Password-KeyringHelper";
      setuid = true;
      group = "onepassword";
    };
  };

neither worked


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Nixos master
Sync Type: Not Provided

«1

Comments

  • Hey, @auscyber . This is a realm that I know I still need to research. My understanding was that, to support things like security.wrappers, I would need to make some changes to the derivation file itself.

    Unfortunately, the NixOS filesystem may make it very difficult to support this feature. :frown: Even with the setuid bit, recent security audits have prompted us to tighten up things like file paths and ownership of more than just the 1Password executable. This makes me very unhappy, but it is very hard to verify the identity of any application on Linux, and we really don't want to have rogue processes just making a connection to an open 1Password session.

    I'm not giving up at all, though. I run 1Password on a NixOS machine, and really miss the browser integration there.

  • auscyber
    auscyber
    Community Member

    pkgs.buildFHSUserEnv could work

  • That's my guess, too. While it won't make it into the update that I need to send to Nixpkgs for 8.1.1, I'll try to prioritize it for our next stable release. I really like the feature and miss it on my NixOS machine.

  • SebTM
    SebTM
    Community Member
    edited July 2021

    Hey, I also tried to get 1Password with Keyring-Helper/System Authentication (have working fingerprinter with sudo/i3lock/i3lock-color) and Browser-Support working. I have another issue now where I don't know what to do:

    Running just the Keyring-Helper e.g.:

    INFO 2021-07-19T20:36:34.911 main(ThreadId(1)) [1P:foundation/op-linux/src/bin/keyring_helper.rs:144] initalizing keyring helper
    WARN 2021-07-19T20:36:35.180 main(ThreadId(1)) [1P:foundation/op-sys-info/src/process_verification.rs:124] binary permission verification failed for /nix/store/6krkl5ka31qd8ll1801w5z32cbm6k838-1password-8.1.2-10.BETA/share/1password/1Password-KeyringHelper2
    ERROR 2021-07-19T20:36:35.182 main(ThreadId(1)) [1P:foundation/op-linux/src/bin/keyring_helper.rs:174] failed to verify keyring helper process permissions, aborting: BinaryPermissions

    More infos, nix-code and full log of 1Password-start in PR: https://github.com/NixOS/nixpkgs/pull/130652

    Hope you can help me/us to solve this and bring full-featured 1password to one more distribution :+1:

    Best Regards

  • Hi, @SebTM. Thank you for building that module, as it got me over a significant hurdle in just approaching this problem. I've pulled your branch and am able to reproduce this on my machine, too.

    Nothing is wrong with your module or the derivation (that I can see, so far, if we make progress we may find more problems...). Our executable verification process figures out the exact file path of the running process and checks the permissions on the file itself. I can see now where and why we're failing, and it looks like we didn't consider the possibility that write permission would be globally disabled.

    I'm getting a new build and will try it out.

  • SebTM
    SebTM
    Community Member

    Thanks for your response and getting into it :) Really hope we will get this on the road :+1:

  • Not a problem, thanks for your help @SebTM! :smile:

  • SebTM
    SebTM
    Community Member

    FYI: Updated PR to latest beta release, error still occurs, removed the seems unneeded wrapper for BrowserSupport but unsure if it's somehow connected with KeyringHelper as it is not unlocking browser-extension even there is no error in the logs...

    I also did a cleanup and, rebase and applied feedback.

  • Thanks for sharing, @SebTM! I'll make sure this gets passed along to @Savanni :smile:

  • SebTM
    SebTM
    Community Member

    Thanks for helping out @Dayton_ag :) I can also report the issue is still present with latest beta 8.2.0-56.BETA, there is also a new bug introduced compared to the beta-builds before - the tray-icon is still visible in i3wm but not responding on either left or right clicks :(

  • SebTM
    SebTM
    Community Member

    Hey, are there an news in supporting NixOS/is there a time frame?

  • Hey again @SebTM 👋

    Generally-speaking, we play our cards pretty close to the vest until we know we follow-through on something we've said we can do. Savanni is definitely interested in looking into what we can do for NixOS, but there isn't any additional news to share at this point in time.

  • SebTM
    SebTM
    Community Member

    Hey @Blake, thanks for the info - will wait for anything upcoming :)

  • :) 👍

  • SebTM
    SebTM
    Community Member

    Hey, I'm really sad to see that nothing happens on this topic especially when there is community willingness/effort to help on which we simply can't do more at this state :(

  • Hi, @SebTM . I'm really sorry for taking so long on this.

    In the last couple of days, with things at work slowing down because of the winter vacations, I've been able to make some headway here. So I've been hammering away through some of this for a couple of days.

    Right now, I have nothing I can ship to you. I can say that we will need to add 1Password-BrowserHelper as an SGID script. We potentially need to add 1Password-KeyringHelper as both SUID and SGID. Here's a snippet that I've added to my configuration.nix:

      users.groups.onepassword.gid = 44399;
    
      security.wrappers = {
        "1Password-BrowserSupport" =
          { source = "${_1password-gui}/share/1password/1Password-BrowserSupport";
            owner = "root";
            group = "onepassword";
            setuid = false;
            setgid = true;
          };
    
        "1Password-KeyringHelper" =
          { source = "${_1password-gui}/share/1password/1Password-KeyringHelper";
            owner = "root";
            group = "onepassword";
            setuid = true;
            setgid = true;
          };
        };
    

    However, this is not enough. We make certain assumptions about where to find these executables inside 1Password, plus we run some other checks. I've resolved the filesystem limitations and am working through a few additional problems. However, I wouldn't be able to release anything until I consult with our security experts, and the true expert in this area of the code is already on vacation for the rest of the year.

    Obviously we won't want users to have to enter the above code themselves. I'll probably go ahead and start building a Nix module that handles it while I'm on break, and then really finish it off once I can get the rest of the code working.

    Again, I am sorry for taking so long. Thank you for your patience, and for pushing me.

  • SebTM
    SebTM
    Community Member

    Hey @Savanni,

    thanks for your feedback, I appreciate your follow-up and efforts on this :+1: :-)
    Let's stay in touch here/E-Mail me if you want (need testers) - I'm happy to help!

    Best Regards

  • @SebTM Hey, I wanted to let you know that I got this working last week, and that the above settings are the only ones that you'll need for NixOS. I just need a review from one particular security expert here at the company before we can merge it. Unfortunately, he was sick last week, but we can get this into the nightly builds as soon as he returns and checks my work.

  • SebTM
    SebTM
    Community Member

    @Savanni Thank you, that's awesome! I'm looking forward to hear when he is well again and has time to check :+1:

  • @SebTM Hey, there! The necessary changes were released yesterday in 8.6.0-6.

    I opened an MR that adds the module to NixOS, but there were some problems with it. I have some more experiments to do, which possibly involves overriding the install script. I do know that there is a change in our new betas that requires a change to the install script.

    This is the MR I started with: https://github.com/NixOS/nixpkgs/pull/158670. I think the module is good, but I can't prove that when my package override doesn't work. I'll have to run the experiments, though, because I don't want to have to wait until the next stable release.

  • DAlperin
    DAlperin
    Community Member

    Hi @Savanni! Super excited to have first class 1pass support on my Nixos boxes. Let me know if there's anything that would be helpful on the nix/nixpkgs side of things. I package 1password for myself so I can update on demand, so I have a bit of experience in the "1password-nix connection" world.

    Thank you so much again!

  • Hi, @DAlperin . I'm 99% certain that the binary works since I have built and installed on a NixOS machine, and I think the problem is just going to be in the derivation currently in Nixpkgs. The strange thing that I'm seeing is that somehow, libudev is no longer findable.

    The first thing I want to try is to extract the policykit instruction into postInstall. We've changed how that file gets generated in the 8.6 series. If I move it to postInstall in the 8.5 derivation, I'll be able to override it in the 8.6 beta derivation. Come to think of it, that's going to be a very simple change, so maybe I can MR it today.

    After that, just need to evaluate the derivation itself to figure out why precisely libudev isn't being found.

    None of this requires changes to the 1Password build itself, so I'd welcome help with troubleshooting if you have time. I'm deeply buried under a lot of other work.

  • DAlperin
    DAlperin
    Community Member
    edited February 2022

    @Savanni this might be a completely wrong (and definitely hacky) idea but what if you added this to the install script to bring libudev into scope specifically?

    ln -s ${lib.getLib systemd}/lib/libudev.so $out/share/lib/libudev.so.0
    
  • DAlperin
    DAlperin
    Community Member
    edited February 2022

    Do you mind sharing exactly what the libudev error is? (I can't quite afford to switch to the beta right now since I rely on 1password so heavily, I can probably spin up a vm later)

  • Hey, @DAlperin. 8.6 is now stable and I have an pull request up to get the upgrade into NixOS unstable channel.

    https://github.com/NixOS/nixpkgs/pull/164468

    Additionally, I have a commit up, which depends on the 8.6 MR, that has browser integration mostly working (except for a bug where the browser isn't able to start 1password, but can delegate authentication to 1password if the desktop app has already been launched).

    https://github.com/savannidgerinel/nixpkgs/tree/savanni/1password-browsersupport

    At the moment, we're waiting for the first one to get reviewed and merged and then the second one is good to go.

    Finally, I'm really sorry for leaving you hanging for so long. Somehow I never saw this message, which probably means that I mass deleted notifications at the wrong time.

  • DAlperin
    DAlperin
    Community Member

    No worries! I appreciate all the work you have put into it. I saw the 8.6 PR merged so I'm excited to see the module go upstream! Until then I'll pull your module locally and give it a go!

    Not being able to start 1password from the browser is a small price to pay, having it work together once it's started is amazing. Maybe I'll delegate starting the 1password app to systemd so it will always be running.

    I'll give it a try later today hopefully and let you know how it goes. Thank you so much again.

  • DAlperin
    DAlperin
    Community Member

    @Savanni it works! This is extremely exciting, thank you so much for all your work on this problem. This will improve my daily workflow exponentially. I'll keep thinking up a solution for the inability of the browser to start the 1password daemon, but like I said, that is nothing but an extremely minor inconvenience.

    Is it ok if I reach out here if I find any bugs in my testing over the next few days?

    Thank you so much again.

  • Absolutely, and it is great to see it working for you! It's working for me, too, and it is definitely improving my life.

    I am almost certain that somewhere in our code, we have hard-coded the path to the 1password executable. Probably not something you can fix from outside. I'll keep investigating, especially since I'll need to solve the this same problem for flatpak ASAP.

  • DAlperin
    DAlperin
    Community Member

    This might want to get documented somewhere, in order to make the polkit integration work I had to override the module package to (pkgs._1password-gui.override ({ polkitPolicyOwners = ["dovalperin"]; })) which makes sense in retrospect but was momentarily confusing. Otherwise it is working perfectly so far!

  • SebTM
    SebTM
    Community Member
    edited March 2022

    Hey Savanni,

    I've checked out your PR and so far the browser integration is working fine :+1:
    For system-integration like fingerprint-auth I see a shaking icon but noting in the cli-output or to report why it's not working:

    INFO  2022-03-24T17:15:40.717 ThreadId(18) [client:typescript] Client starting.
    INFO  2022-03-24T17:15:40.786 tokio-runtime-worker(ThreadId(3)) [1P:native-messaging/op-native-core-integration/src/lib.rs:281] Starting IPC listener on 1Password-BrowserSupport
    INFO  2022-03-24T17:15:40.786 ThreadId(18) [1P:op-localization/src/lib.rs:186] system locale detected as 'en_US'
    INFO  2022-03-24T17:15:40.786 ThreadId(18) [1P:op-localization/src/lib.rs:212] selected translations for EN_US based on detected locale en-US
    INFO  2022-03-24T17:15:40.786 tokio-runtime-worker(ThreadId(3)) [1P:native-messaging/op-native-core-integration/src/lib.rs:293] Active native core integration is awaiting messages
    INFO  2022-03-24T17:15:40.786 ThreadId(18) [status:op-app/src/app.rs:325] App::new(1Password for Linux/80600076 (EN_US), /home/$USER/.config/1Password/1password.sqlite)
    INFO  2022-03-24T17:15:40.787 ThreadId(18) [1P:op-db/src/db.rs:120] Starting DB at version: 23
    INFO  2022-03-24T17:15:40.788 ThreadId(18) [1P:ssh/op-ssh-config/src/lib.rs:206] agent not configured
    ERROR 2022-03-24T17:15:40.788 ThreadId(18) [1P:ffi/core-node/src/lib.rs:65] Attempted to notify uninitialized App
    INFO  2022-03-24T17:15:40.789 op_executor:invocation_loop(ThreadId(22)) [1P:native-messaging/op-nm-installer/src/nix_utils.rs:68] Created NMH manifest at /home/$USER/.config/google-chrome/NativeMessagingHosts/com.1password.1password.json
    INFO  2022-03-24T17:15:40.789 op_executor:invocation_loop(ThreadId(22)) [1P:native-messaging/op-nm-installer/src/nix_utils.rs:68] Created NMH manifest at /home/$USER/.config/google-chrome-beta/NativeMessagingHosts/com.1password.1password.json
    INFO  2022-03-24T17:15:40.789 op_executor:invocation_loop(ThreadId(22)) [1P:native-messaging/op-nm-installer/src/nix_utils.rs:68] Created NMH manifest at /home/$USER/.config/google-chrome-unstable/NativeMessagingHosts/com.1password.1password.json
    INFO  2022-03-24T17:15:40.789 op_executor:invocation_loop(ThreadId(22)) [1P:native-messaging/op-nm-installer/src/nix_utils.rs:68] Created NMH manifest at /home/$USER/.config/chromium/NativeMessagingHosts/com.1password.1password.json
    INFO  2022-03-24T17:15:40.789 op_executor:invocation_loop(ThreadId(22)) [1P:native-messaging/op-nm-installer/src/nix_utils.rs:68] Created NMH manifest at /home/$USER/.config/microsoft-edge-dev/NativeMessagingHosts/com.1password.1password.json
    INFO  2022-03-24T17:15:40.789 op_executor:invocation_loop(ThreadId(22)) [1P:native-messaging/op-nm-installer/src/nix_utils.rs:68] Created NMH manifest at /home/$USER/.config/BraveSoftware/Brave-Browser/NativeMessagingHosts/com.1password.1password.json
    INFO  2022-03-24T17:15:40.789 op_executor:invocation_loop(ThreadId(22)) [1P:native-messaging/op-nm-installer/src/nix_utils.rs:68] Created NMH manifest at /home/$USER/.config/vivaldi/NativeMessagingHosts/com.1password.1password.json
    INFO  2022-03-24T17:15:40.789 op_executor:invocation_loop(ThreadId(22)) [1P:native-messaging/op-nm-installer/src/nix_utils.rs:68] Created NMH manifest at /home/$USER/.config/vivaldi-snapshot/NativeMessagingHosts/com.1password.1password.json
    INFO  2022-03-24T17:15:40.789 op_executor:invocation_loop(ThreadId(22)) [1P:native-messaging/op-nm-installer/src/nix_utils.rs:68] Created NMH manifest at /home/$USER/.mozilla/native-messaging-hosts/com.1password.1password.json
    INFO  2022-03-24T17:15:40.789 op_executor:invocation_loop(ThreadId(22)) [1P:native-messaging/op-nm-installer/src/nix_utils.rs:83] Successfully installed all native messaging manifests.
    INFO  2022-03-24T17:15:40.790 tokio-runtime-worker(ThreadId(16)) [1P:ssh/op-agent-controller/src/desktop.rs:285] SSH Agent has started.
    [450618:0324/171540.856969:ERROR:sandbox_linux.cc(377)] InitializeSandbox() called with multiple threads in process gpu-process.
    WARN  2022-03-24T17:15:41.055 op_executor:invocation_loop(ThreadId(22)) [1P:foundation/op-linux/src/kernel_keyring.rs:817] failed to initialize keyring helper, its functionality will be unavailable: Io(Error { kind: UnexpectedEof, message: "failed to fill whole buffer" })
    INFO  2022-03-24T17:16:22.227 tokio-runtime-worker(ThreadId(8)) [1P:op-data-layer/src/load.rs:136] loaded 727 items in 11 vaults for account: xxx
    INFO  2022-03-24T17:16:22.233 op_executor:invocation_loop(ThreadId(22)) [1P:op-app/src/app/backend/unlock.rs:80] Lock state changed: Unlocked
    INFO  2022-03-24T17:16:23.662 tokio-runtime-worker(ThreadId(3)) [1P:op-syncer/src/sync_job.rs:276] synced account xxx (0.173358516s)
    INFO  2022-03-24T17:16:23.663 tokio-runtime-worker(ThreadId(3)) [1P:op-data-layer/src/file.rs:608] find_and_complete_pending_uploads: 'xxx'
    INFO  2022-03-24T17:16:24.167 tokio-runtime-worker(ThreadId(16)) [1P:op-data-layer/src/sync.rs:512] The B5 Notifier for (xxx) has connected, now monitoring for events.
    INFO  2022-03-24T17:16:25.927 op_executor:invocation_loop(ThreadId(22)) [1P:op-app/src/app/backend/lock.rs:72] Lock state changed: Locked
    INFO  2022-03-24T17:16:25.928 op_executor:invocation_loop(ThreadId(22)) [1P:op-app/src/app/backend/lock.rs:94] Locked. Reason: Manual.
    

    Thanks for keeping up, I'm happy to see this in NixOS soon :)

    Best wishes and stay safe :+1

    Edit: Two little findings not related to this maybe you can tell me where to place them/forward them:

    Is there a reason I loose my right click menu on the tray Icon when I enable Quick-Access on left click?
    Is the nesting of the three dot menu (see screenshot) intended? (its not nice to use I would say :D)

    Edit 2: I tried to use the new ssh-feature and it seems to be also not working? for me at least (using the 8.6 release from your PR) there is is a socket showing up in users-".1password" directory:

    "srw------- 0 sebtm 24 Mar 17:39  /home/sebtm/.1password/agent.sock"

    but when I connect via ssh somewhere I'm not offered anything by 1Password (which is running) an see "Permission denied (publickey)." (like without a key)

    I tried to interact with the socket with netcat/socat but I don't get any responses/see anything from there. In the logs I found:

    ERROR 2022-03-24T17:41:11.143 tokio-runtime-worker(ThreadId(2)) [1P:native-messaging/op-native-core-integration/src/connection_handler.rs:60] message from b5x was None: EndConnection
    ERROR 2022-03-24T17:41:11.143 tokio-runtime-worker(ThreadId(2)) [1P:native-messaging/op-native-core-integration/src/connection_handler.rs:31] Dropping connection with b5x due to error handling incoming message: EndConnection
    INFO  2022-03-24T17:41:17.773 tokio-runtime-worker(ThreadId(2)) [1P:ui/op-settings-ui/src/save.rs:792] Error parsing Keyboard Shortcut: Keyboard Shortcut: Control + ControlLeft []
    INFO  2022-03-24T17:41:18.243 tokio-runtime-worker(ThreadId(2)) [1P:ui/op-settings-ui/src/save.rs:792] Error parsing Keyboard Shortcut: Keyboard Shortcut: Control + Shift + ShiftLeft []
    INFO  2022-03-24T17:41:18.745 ThreadId(18) [client:typescript] Settings file changed.
    INFO  2022-03-24T17:41:29.756 op_executor:invocation_loop(ThreadId(22)) [1P:op-app/src/app/backend/frontend.rs:24] Front end event: window closed
    INFO  2022-03-24T17:42:25.652 tokio-runtime-worker(ThreadId(16)) [1P:native-messaging/op-native-core-integration/src/lib.rs:305] Extension connecting.
    INFO  2022-03-24T17:42:25.652 tokio-runtime-worker(ThreadId(16)) [1P:native-messaging/op-native-core-integration/src/lib.rs:307] Extension connection accepted.
    WARN  2022-03-24T17:57:55.971 tokio-runtime-worker(ThreadId(4)) [1P:ssh/op-ssh-agent/src/lib.rs:252] failed to receive agent request (Io(Io { kind: Other, inner: "<redacted>" })), replying with SSH_AGENT_FAILURE
    WARN  2022-03-24T17:57:55.971 tokio-runtime-worker(ThreadId(4)) [1P:ssh/op-ssh-agent/src/lib.rs:261] failed to receive agent request(Io(Os { code: 32, kind: BrokenPipe, message: "Broken pipe" })), dropping client
    

    I have also some recurring errors/logs with just one line created:

    ERROR 2022-03-24T17:33:10.334 ThreadId(28) [1P:op-auto-lock/src/linux.rs:397] A Connection Error ocurred: XcbConnectionError
    ERROR 2022-03-24T17:33:10.334 ThreadId(28) [1P:op-auto-lock/src/linux.rs:397] A Connection Error ocurred: XcbConnectionError
    ERROR 2022-03-24T17:33:10.334 ThreadId(28) [1P:op-auto-lock/src/linux.rs:397] A Connection Error ocurred: XcbConnectionError
    
    ---
    
    
    ERROR 2022-03-24T17:15:36.189 tokio-runtime-worker(ThreadId(8)) [1P:native-messaging/op-native-core-integration/src/connection_handler.rs:60] message from b5x was None: EndConnection
    ERROR 2022-03-24T17:15:36.189 tokio-runtime-worker(ThreadId(8)) [1P:native-messaging/op-native-core-integration/src/connection_handler.rs:31] Dropping connection with b5x due to error handling incoming message: EndConnection
    

    INFO 2022-03-24T17:24:11.717 ThreadId(18) [client:typescript] 1Password is already running, closing. (I guess when I open it via rofi when in tray)

    But all in all, I'm sure we will find solutions for it and get 1Password one better ;)

This discussion has been closed.