Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

API: access secrets directly #11870

Closed
jhvst opened this issue Jun 11, 2024 · 4 comments · Fixed by #11877
Closed

API: access secrets directly #11870

jhvst opened this issue Jun 11, 2024 · 4 comments · Fixed by #11877

Comments

@jhvst
Copy link

jhvst commented Jun 11, 2024

Currently there is a bug affecting, e.g., NixOS: #11324

This issue stems from these lines:

frigate/frigate/api/auth.py

Lines 90 to 96 in 962d213

elif (
os.path.isdir("/run/secrets")
and os.access("/run/secrets", os.R_OK)
and JWT_SECRET_ENV_VAR in os.listdir("/run/secrets")
):
logger.debug(f"Using jwt secret from {JWT_SECRET_ENV_VAR} docker secret file.")
jwt_secret = Path(os.path.join("/run/secrets", JWT_SECRET_ENV_VAR)).read_text()

Certain distributions like NixOS create a per-process user to services like frigate. Often, secrets in the run directory are then given on per-process basis. Coincidentally, this means that the read capabilities of the /run/secrets folder is reserved for root only. Instead, the access pattern is such that services read their corresponding environment variables directly from the folder, such as /run/secrets/FRIGATE_JWT_SECRET.

To address this issue, the listing logic should be removed. This seems to make little sense anyway since the file is read directly later anyway: if the file does not exist, the read should fail.

Without this change, frigate process on NixOS and distributions with similar secret management logic will run into a Python crash on startup, because frigate tries to scan secrets it should not have access to.
@blakeblackshear
Copy link
Owner

Thanks for reporting.

Genuinely honest question as we are trying to maintain a good workflow around bug reports. How did you submit this issue without selecting a template?

We have a specific link for bug reports on the new issue page, but this was submitted as a generic issue instead.

Screenshot_20240611-062515.png

@jhvst
Copy link
Author

jhvst commented Jun 11, 2024

This issue was submitted by going to the code, lining up a piece of code, and then clicking on "submit issue" using the GitHub web UI.

@blakeblackshear
Copy link
Owner

Thanks.

I'm not very familiar with NixOS. Does it look like the following would work?

    elif os.path.isdir("/run/secrets") and os.path.isfile(
        os.path.join("/run/secrets", JWT_SECRET_ENV_VAR)
    ):

@jhvst
Copy link
Author

jhvst commented Jun 11, 2024
edited
Loading

Personally, I would just try to open the filepath directly and fallthrough if it does not open up. I.e., to me, checking whether the directory exists seems redundant if you are then reading a file within it anyway (in other words, reading a file successfully implies that the directory exists).

Aside of that, yes, that looks good to me! Also, thanks for the swift response.

@blakeblackshear blakeblackshear mentioned this issue Jun 11, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

just check for secret file specifically blakeblackshear/frigate
2 participants
@blakeblackshear @jhvst