From f109744b8786371e3bf0a686ff7fc3d5b434a399 Mon Sep 17 00:00:00 2001 From: Emile Clark-Boman Date: Sat, 26 Jul 2025 18:20:01 +1000 Subject: [PATCH] updated my personal GUIDE.md rereading this now I don't fully agree with the home perms section... oops --- GUIDE | 18 ------------------ GUIDE.md | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 51 insertions(+), 18 deletions(-) delete mode 100644 GUIDE create mode 100644 GUIDE.md diff --git a/GUIDE b/GUIDE deleted file mode 100644 index 90a70b8..0000000 --- a/GUIDE +++ /dev/null @@ -1,18 +0,0 @@ -### Migrate to a Newer Version of Nixpkgs -```bash -# Determine the channel name you're using -nix-channel --list -nix-channel --remove -nix-channel --add # ie https://nixos.org/channels/nixos-25.05 -nix-channel --update - -# Now upgrade system profile (log to file in case of failure) -nixos-rebuild boot --upgrade | tee rebuild.log -``` - -### Finding New Things to Do -`man 5 configuration.nix` is incredibly useful - similar info can be found at https://mynixos.com/options - -### For your curiosity -1. https://wiki.nixos.org/wiki/Firejail diff --git a/GUIDE.md b/GUIDE.md new file mode 100644 index 0000000..95180b6 --- /dev/null +++ b/GUIDE.md @@ -0,0 +1,51 @@ +### Migrate to a Newer Version of Nixpkgs +```bash +# Determine the channel name you're using +nix-channel --list +nix-channel --remove +nix-channel --add # ie https://nixos.org/channels/nixos-25.05 +nix-channel --update + +# Now upgrade system profile (log to file in case of failure) +nixos-rebuild boot --upgrade | tee rebuild.log +``` + + + +## Security Implications +### NixOS Default Home Permissions +```bash +# Executing from $HOME +>>> mkdir example.d && ls -l example.d +-rw-r--r-- 1 me users 1 Jul 25 10:13 example.d +>>> echo > example.f && ls -l example.f +-rw-r--r-- 1 me users 1 Jul 25 10:15 example.f + +## But these ignore facl? +>>> getfacl "$HOME" +# file: home/me +# owner: me +# group: users +user::rwx +group::--- +other::--- +``` +Many commands default to permissions that ignore the file access control listl (file ACLs). +This is not a NixOS specific issue. However this isn't ideal from a security perspective. +The simplest solution is a recursive `chmod -R 600 ~` but there are plenty of files we +intentionally want to be different. +> [!TODO] +> Solution: Make a Nix/Home-Manager package allowing for control over folder permissions. +> SOlution: Also it should warn if any files owned by $USER have a 2 + + + +## Further Reading +### Finding New Things to Do +`man 5 configuration.nix` is incredibly useful + similar info can be found at https://mynixos.com/options + +### For your curiosity +1. https://wiki.nixos.org/wiki/Firejail + +