Keyring isn't suid on nixos

2»

Comments

  • SebTM
    SebTM
    Community Member

    Okay, as my post got lost somehow while editing I will write it again later :/

  • SebTM
    SebTM
    Community Member
    edited March 2022

    Hello @Savanni, @DAlperin,

    thanks for your work/testing on it I have checked out the PR as well locally and I'm really happy to see that Browser Integration is working :+1

    What doesn't work for me is System Authentication and SSH-Feature I also checked the logs but can't find anything outstanding. (attached - cat'ed together 15 files)

    Logs in additional posts, I can now replicate the loss of the previous post - edit a post add to many line/length - you lose it lol (To long - pastebin: https://paste.debian.net/1235516/)

    I can see the socket in "~/.1password/agent.sock. Also tried to debug it with netcat/socat and logs but I can't find something wrong.
    Happy to see some progress going on here, and quite hupeful we can solve the rest together :)

    Also two non-related things:

    1. Is there a reason there isn't the right-click menu on the tray icon when Quick Access is configured? It would be so helpful if one and another does exclude the other
    2. Is it desired that the tree dot menu is nested? (see screenshot)

    Best Wishes and stay safe +1

    Edit: KeyringHelper-Logs: https://paste.debian.net/1235517/ (Please fix your forum-software its really pain!)

  • DAlperin
    DAlperin
    Community Member
    edited March 2022

    @SebTM Wherever you install 1pass (home.packages, systemPackages, etc) replace _1password-gui or pkgs._1password-gui with pkgs._1password-gui.override ({ polkitPolicyOwners = ["YOURUSERHERE"]; })) but replace YOURUSERHERE with your username (add any other users of the system you want it to work with as well) and let me know if it works.

  • SebTM
    SebTM
    Community Member
    edited March 2022

    @DAlperin thx for the suggestion, I thought this was already resolved as I saw in the PR this is done with programs._1password-gui.polkitPolicyOwners value in the module. (I cherry-picked the commits local)

    I also tried it with the following now:

        programs._1password-gui = {
          enable = true;
    
          groupId = 5001;
          package = pkgs._1password-gui.override (
            { polkitPolicyOwners = ["sebtm"]; }
          );
          polkitPolicyOwners = [ "sebtm" ];
        };
    
    

    But system-authentication (unlocking 1Password with fingerprint like unlocking i3lock-color which already works) still not works the screen just shaking like it's not recognizing the fingerprint but compared( (I would guess) it takes to less time to really use/check the device.

  • SebTM
    SebTM
    Community Member

    Keyring-Helper:

    INFO  2022-03-24T16:43:30.650 main(ThreadId(1)) [1P:foundation/op-linux/src/bin/keyring_helper.rs:133] initalizing keyring helper
    ERROR 2022-03-24T16:43:30.650 main(ThreadId(1)) [1P:foundation/op-binary-support/src/linux.rs:255] process detected it was running without libc's security, aborting
    INFO  2022-03-24T17:09:55.721 main(ThreadId(1)) [1P:foundation/op-linux/src/bin/keyring_helper.rs:133] initalizing keyring helper
    ERROR 2022-03-24T17:09:55.723 main(ThreadId(1)) [1P:foundation/op-binary-support/src/linux.rs:237] parent process contained untrusted libraries: /nix/store/9wvss92s8hd5pn8n3ksgqfhinlk55hcp-libX11-1.7.2/lib/libX11-xcb.so.1.0.0
    INFO  2022-03-24T17:15:00.504 main(ThreadId(1)) [1P:foundation/op-linux/src/bin/keyring_helper.rs:133] initalizing keyring helper
    ERROR 2022-03-24T17:15:00.506 main(ThreadId(1)) [1P:foundation/op-binary-support/src/linux.rs:237] parent process contained untrusted libraries: /nix/store/9wvss92s8hd5pn8n3ksgqfhinlk55hcp-libX11-1.7.2/lib/libX11-xcb.so.1.0.0
    INFO  2022-03-24T17:15:41.053 main(ThreadId(1)) [1P:foundation/op-linux/src/bin/keyring_helper.rs:133] initalizing keyring helper
    ERROR 2022-03-24T17:15:41.055 main(ThreadId(1)) [1P:foundation/op-binary-support/src/linux.rs:237] parent process contained untrusted libraries: /nix/store/9wvss92s8hd5pn8n3ksgqfhinlk55hcp-libX11-1.7.2/lib/libX11-xcb.so.1.0.0
    INFO  2022-03-24T17:19:21.397 main(ThreadId(1)) [1P:foundation/op-linux/src/bin/keyring_helper.rs:133] initalizing keyring helper
    ERROR 2022-03-24T17:19:21.399 main(ThreadId(1)) [1P:foundation/op-binary-support/src/linux.rs:237] parent process contained untrusted libraries: /nix/store/9wvss92s8hd5pn8n3ksgqfhinlk55hcp-libX11-1.7.2/lib/libX11-xcb.so.1.0.0
    INFO  2022-03-24T17:37:13.313 main(ThreadId(1)) [1P:foundation/op-linux/src/bin/keyring_helper.rs:133] initalizing keyring helper
    ERROR 2022-03-24T17:37:13.315 main(ThreadId(1)) [1P:foundation/op-binary-support/src/linux.rs:237] parent process contained untrusted libraries: /nix/store/9wvss92s8hd5pn8n3ksgqfhinlk55hcp-libX11-1.7.2/lib/libX11-xcb.so.1.0.0
    

    Puhh this forum gets me done - please extend the max post-size when using code-tag or allow file attachments (if mime-type is text).

  • SebTM
    SebTM
    Community Member

    Keyring-Helper:

    INFO  2022-03-24T16:43:30.650 main(ThreadId(1)) [1P:foundation/op-linux/src/bin/keyring_helper.rs:133] initalizing keyring helper
    ERROR 2022-03-24T16:43:30.650 main(ThreadId(1)) [1P:foundation/op-binary-support/src/linux.rs:255] process detected it was running without libc's security, aborting
    INFO  2022-03-24T17:09:55.721 main(ThreadId(1)) [1P:foundation/op-linux/src/bin/keyring_helper.rs:133] initalizing keyring helper
    ERROR 2022-03-24T17:09:55.723 main(ThreadId(1)) [1P:foundation/op-binary-support/src/linux.rs:237] parent process contained untrusted libraries: /nix/store/9wvss92s8hd5pn8n3ksgqfhinlk55hcp-libX11-1.7.2/lib/libX11-xcb.so.1.0.0
    INFO  2022-03-24T17:15:00.504 main(ThreadId(1)) [1P:foundation/op-linux/src/bin/keyring_helper.rs:133] initalizing keyring helper
    ERROR 2022-03-24T17:15:00.506 main(ThreadId(1)) [1P:foundation/op-binary-support/src/linux.rs:237] parent process contained untrusted libraries: /nix/store/9wvss92s8hd5pn8n3ksgqfhinlk55hcp-libX11-1.7.2/lib/libX11-xcb.so.1.0.0
    INFO  2022-03-24T17:15:41.053 main(ThreadId(1)) [1P:foundation/op-linux/src/bin/keyring_helper.rs:133] initalizing keyring helper
    ERROR 2022-03-24T17:15:41.055 main(ThreadId(1)) [1P:foundation/op-binary-support/src/linux.rs:237] parent process contained untrusted libraries: /nix/store/9wvss92s8hd5pn8n3ksgqfhinlk55hcp-libX11-1.7.2/lib/libX11-xcb.so.1.0.0
    INFO  2022-03-24T17:19:21.397 main(ThreadId(1)) [1P:foundation/op-linux/src/bin/keyring_helper.rs:133] initalizing keyring helper
    ERROR 2022-03-24T17:19:21.399 main(ThreadId(1)) [1P:foundation/op-binary-support/src/linux.rs:237] parent process contained untrusted libraries: /nix/store/9wvss92s8hd5pn8n3ksgqfhinlk55hcp-libX11-1.7.2/lib/libX11-xcb.so.1.0.0
    INFO  2022-03-24T17:37:13.313 main(ThreadId(1)) [1P:foundation/op-linux/src/bin/keyring_helper.rs:133] initalizing keyring helper
    ERROR 2022-03-24T17:37:13.315 main(ThreadId(1)) [1P:foundation/op-binary-support/src/linux.rs:237] parent process contained untrusted libraries: /nix/store/9wvss92s8hd5pn8n3ksgqfhinlk55hcp-libX11-1.7.2/lib/libX11-xcb.so.1.0.0
    

    Puhh this forum gets me done - please extend the max post-size when using code-tag or allow file attachments (if mime-type is text).

  • DAlperin
    DAlperin
    Community Member

    @SebTM, out of curiosity what version of nixos are you running. Could you also copy and past the result of uname -a? Here is my config since I know that's working so feel free to poke around and see if you notice any glaring differences: https://github.com/DAlperin/dotfiles. If your config is public shoot me a link and I can take a look later this week and see if I notice anything, my gut says there is something weird going on with whatever version of nixos and or the kernel you are running but I'm not sure.

    thx for the suggestion, I thought this was already resolved

    Oops yeah, realized I was on an older version of the module from before the PR was opened, my bad.

  • @DAlperin actually, that override was only necessary for a few days. polkitPolicyOwners is now a parameter on the module on the unstable channel.

    @SebTM Lots of things for me to absorb here, so I'll try to take it point-by-point.

    The nested menu is not particularly nice, but it seems that we fixed that by 8.7.0-28. I'm not sure exactly when, though. Also, in your screenshot, did you make the window somewhat transparent? I'm seeing texturing that I know we don't have in the app since Electron doesn't support transparency on Linux (no idea why, but it's so documented... Linux has only had transparency since, oh 2002).

    SSH agent should be working. I just tried it out and even got it to work with the fingeprint reader. Could you check your ~/.ssh/config to ensure that it is delegating to the socket?

    Unfortunately, I'm having to switch off of the NixOS installation. I'm only able to test today since I put it back on to test the new op module that another Nix contributor has open in MR. But I owe a similar amount of work to the Flatpak users, and the only way for me to get that done is to switch over to the Flatpak installation for a few weeks. :D

  • SebTM
    SebTM
    Community Member
    edited March 2022

    Hey @DAlperin, @Savanni,

    thanks for your answers and sharing your config (want to do it but have to take care of secrets before - when I find time :/). I'm running my system on NixOS-Unstable (current rev: ce8cbe3c01fd8ee2de526ccd84bbf9b82397a510) and HomeManager-Master (current rev: 888eac32bd657bfe0d024c8770130d80d1c02cd3) - my uname -a is: Linux XXX 5.15.30 #1-NixOS SMP Sat Mar 19 12:47:51 UTC 2022 x86_64 GNU/Linux

    I've changed the config part for 1password to:

    programs = {
      _1password-gui = {
        enable = true;
    
        groupId = 5001;
        polkitPolicyOwners = [ "sebtm" ];
      };
    };
    

    The current rev I'm using is also including the initial module from @Savanni. I can see in /etc/group that the group is created with the according gid.

    Ah nice, then it will be fixed in the next big release that's fine for me :) For the transparency thing I use picom (home-manager module) and this is my config:

        picom = {
          enable = true;
    
          activeOpacity = "0.96";
          blur = true;
    
          fade = true;
          fadeSteps = [ "0.05" "0.05" ];
    
          inactiveDim = "0.10";
          inactiveOpacity = "0.94";
    
          menuOpacity = "0.96";
          opacityRule = [ "100:name *= 'i3lock'" ];
          shadow = true;
        };
    

    Worked for me out-of-the-box with no issues.

    For the SSH-Agent thing I'm on it seems that I have to recreate my keys in 1Password (as I stored them there before as files) will check that the next days.

    Thanks for your (all) support and maybe we will sort it out until you are back on NixOS :)

    Best Wishes

    Edit: Just one thing added up I had only mentioned in one sentence so no worry :) Is there a reason that we lose the right click menu to the tray Icon if quick access for left clicks is enabled? This would be really nice to see :)

  • SebTM
    SebTM
    Community Member

    Hmm, I tried SSH-Again after recreating the keys in 1password and testing it on a mac (where it worked). I've changed my config to:

    Host *
      IdentityAgent ~/.1password/agent.sock
    

    and can see the socket:

    ❯ ls -al ~/.1password/agent.sock
    Permissions Size User  Date Modified Name
    srw-------     0 sebtm 30 Mar 23:16   /home/sebtm/.1password/agent.sock
    

    But every try to connect to one of my hosts (working again on mac) I get:

    ❯ ssh root@vmh01.XXXX.de
    root@vmh01.XXXX.de: Permission denied (publickey).
    ❯ ssh root@ns27.XXXX.de
    root@ns27.XXXX.de: Permission denied (publickey,keyboard-interactive).
    ❯ ssh root@10.10.XX.1
    root@10.10.XX.1: Permission denied (publickey).
    

    I've also tried to reset the whole 1Password app by renaming .config/1password and setup the account fresh but it doesn't help with my ssh-feature nor the system-authentication issues :/

  • SebTM
    SebTM
    Community Member

    Okay, I somehow solved it partially:

    I had my keys in different Vaults (other than the default) and interpreted "Open and unlock 1Password, then navigate to your Personal or Private vault." with any private vault otherwise I would have expected the hint with only Personal/Default Vault :)

    Now as I moved my keys to Personal I can see them all with ssh-add -L but when I try to connect:

    ❯ ssh root@vmh01.XXX.de
    sign_and_send_pubkey: signing failed for ED25519 "XXX SSH-Key" from agent: agent refused operation
    root@vmh01.XXX.de: Permission denied (publickey).
    

    I guess it's related to the other issues where system authentication is not working (maybe polkit?) I will try to look into this :)

  • SebTM
    SebTM
    Community Member

    I have the full experience working ;) With some (motivational) help, keeping me on track, I got down into the deepness of polkit-debugging (https://wiki.archlinux.org/title/Polkit#Debugging/logging).

    As the SSH-Auth relays on system-authentication (and so on polkit) it was really helpful for me while debugging, so I didn't had to lock/unlock my vault again for testing over and over. (just for anyone following me on the path)

    1. SSH-Keys in non Standard/Personal-Vault
      Please make some hints in SSH-Key type Items in the App -> in such Vaults that they will not work. Having it in the docs is nice but as it could be interpreted different (see above - maybe my fault) this would be an improvement I guess. I hope in the long-term all non-shared (first) and later even shared (maybe keys shared without ability to download/view them for teams? ;)) Vaults are possible.

    2. export SSH_AUTH_SOCK=~/.1password/agent.sock
      It help's a lot seeing/debugging the content of the keyring - for me it's part of "setup your system with 1password as ssh-auth-provider" so it would be in the snippet/getting started in the app (like the .ssh/config-thing) then in the docs (additional docs - again I love it)

    3. Debugging further

    with journalctl -feu polkit.service and

    security.polkit = {
        enable = true;
        extraConfig = ''
            polkit.addRule(function(action, subject) {
                polkit.log("action=" + action);
                polkit.log("subject=" + subject);
            });
        '';
    }
    

    and ssh -v root@XXX.XXX.de I was able to see in the journalctl related actions popping up. I was curios and adapted something I've seen on the ArchWiki page with the debug-output and I got it working the first time but with a hardcoded wildcard on the action:

    security.polkit = {
        enable = true;
        extraConfig = ''
            polkit.addRule(function(action, subject) {
                polkit.log("action=" + action);
                polkit.log("subject=" + subject);
            });
    
            if (action.id == "com.1password.1Password.authorizeSshAgent") { 
                return polkit.Result.YES;
            }
        '';
    }
    

    DONT USE THIS IT COMPROMISE YOUR SECURITY


    1. Conclusion and solution

    From then on I knew that there is something in my environment missing, what's prompting me for authorization when such a polkit action/event occurred. Originally searching for something like polkit-explorer-git (earlier) I saw the package polkit_gnome. Then I had some luck that one of my colleges also using i3wm had already implemented polkit_gnome in his config as systemd user-service in nixos:

    systemd = {
          user.services.polkit-gnome-authentication-agent-1 = {
        description = "polkit-gnome-authentication-agent-1";
        wants = [ "graphical-session.target" ];
        wantedBy = [ "graphical-session.target" ];
        after = [ "graphical-session.target" ];
        serviceConfig = {
          Type = "simple";
          ExecStart = "${pkgs.polkit_gnome}/libexec/polkit-gnome-authentication-agent-1";
          Restart = "on-failure";
          RestartSec = 1;
          TimeoutStopSec = 10;
        };
      };
    };
    

    For me personally it's more a user-managed thing so I moved it to my home-manager config, it works fine and the service-definition looks like this:

    systemd.user.services = {
      polkit-gnome-authentication-agent-1 = {
        Unit = {
          After = [ "graphical-session-pre.target" ];
          Description = "polkit-gnome-authentication-agent-1";
          PartOf = [ "graphical-session.target" ];
        };
    
        Service = {
          ExecStart = "${pkgs.polkit_gnome}/libexec/polkit-gnome-authentication-agent-1";
          Restart = "on-failure";
          RestartSec = 1;
          TimeoutStopSec = 10;
          Type = "simple";
        };
    
        Install = {
          WantedBy = [ "graphical-session.target" ];
        };
      };
    };
    

    I hope I can give something back to others in the community with this (maybe too detailed) trip-report with polkit these days ;)

    Best Regards

  • Wow, @SebTM thank you for this writeup! There's a lot in here for me to absorb and digest.

  • SebTM
    SebTM
    Community Member
    edited April 2022

    Hey @Savanni, I'm pleased to help :)

    Something to add up:

    I'm currently trying to re-automate my backup-workflow (Vorta => Borg), to be not disrupted for every backup (currently hourly). I got it working to use "polkit.lookup" to get the "polkit.message" but somehow it's an issue to work with the (string?) result (of action.lookup) non of the documented javascript-functions is working:

    polkit.log(action.lookup("polkit.message").indexOf("python"));
    polkit.log(action.lookup("polkit.message").includes("python"));
    polkit.log(action.lookup("polkit.message").search(/python/));
    polkit.log((/python/.test(action.lookup("polkit.message")));
    

    Polkit seems to segfault (with each of this approaches - single tested):

    polkit.service: Main process exited, code=dumped, status=11/SEGV
    polkit.service: Failed with result 'core-dump'.
    

    https://gist.github.com/grawity/3886114?permalink_comment_id=4125345#gistcomment-4125345
    https://wiki.archlinux.org/title/Polkit
    https://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html

    It would be very helpful and appreciated if you could add an additional parameter "program" (like shown in the polkit-docs - freedesktop-link above) so the user can easily decide in a rule if he want's to e.g. generally permit the key access.

    Currently I can match against the whole text which is kind of ugly:

    polkit.addRule(function(action, subject) {
      if (
        action.id == "com.1password.1Password.authorizeSshAgent"
        && action.lookup("polkit.message") == "1Password is trying to allow \“Vorta\” to use the key \“Backup SSH-Key\” for SSH"
        && subject.isInGroup("auto-backup")
      ) {
        polkit.log("Sucess Rule: \"Backup XXX\"");
        return polkit.Result.YES;
      }
    });
    

    and in case of the timed (automated) backup will break after each python-upgrade:

    1Password is trying to allow “/nix/store/9px00aaqzb6n5p03i9wd8rx3msg95y9r-python3-3.9.11/bin/python3.9” to use the key “Personal SSH-Key” for SSH
    

    (Would be cool if this/another value could be stripped from the path)

    Best Wishes :v:

    • Post edited by staff to remove possible sensitive information.
  • SebTM
    SebTM
    Community Member

    A followup after random finding: Something GUI/pinentry-based like would be very nice ;) - https://github.com/StanfordSNR/guardian-agent

  • SebTM
    SebTM
    Community Member
    edited June 2022

    Hey @Savanni,

    did you have time to look into (https://1password.community/discussion/comment/635755/#Comment_635755) again/forward the request to the PO/Devs as suggestion/feature request? :)

    Best Wishes

  • SebTM
    SebTM
    Community Member
    edited June 2022

    Hey @Savanni,

    did you have time to look into ( https://1password.community/discussion/comment/635755/#Comment_635755 ) again/forward the request as suggestion/feature request? :)

    Best Wishes

  • SebTM
    SebTM
    Community Member

    small reminder ;)

  • SebTM
    SebTM
    Community Member

    Ping?

  • tobiasvd
    tobiasvd
    Community Member

    Just wanted to express my gratitude for 1Password being available on NixOS, with browser support, which I did not expect at all tbh. You guys are awesome :)

    For people new to NixOS like me arriving at this topic:

    Install 1password as a system package using this option. One can set the package to the beta version if desired (just add '-beta'). With just that, browser support already works (I did a reboot, not sure if that's required).

    Keep up the great work!

  • SebTM
    SebTM
    Community Member

    @tobiasvd Thanks for the great feedback, I appreciate it :)

    @AliH1P @Savanni Ping still relevant!

  • Hey @SebTM, I apologize for our delayed response here. We greatly appreciate all the details you've provided. I'll pass this along to the relevant team 👍

    Ali

This discussion has been closed.