-
-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
API: access secrets directly #11870
Comments
This issue was submitted by going to the code, lining up a piece of code, and then clicking on "submit issue" using the GitHub web UI. |
Thanks. I'm not very familiar with NixOS. Does it look like the following would work? elif os.path.isdir("/run/secrets") and os.path.isfile(
os.path.join("/run/secrets", JWT_SECRET_ENV_VAR)
): |
Personally, I would just try to open the filepath directly and fallthrough if it does not open up. I.e., to me, checking whether the directory exists seems redundant if you are then reading a file within it anyway (in other words, reading a file successfully implies that the directory exists). Aside of that, yes, that looks good to me! Also, thanks for the swift response. |
Currently there is a bug affecting, e.g., NixOS: #11324
This issue stems from these lines:
frigate/frigate/api/auth.py
Lines 90 to 96 in 962d213
Certain distributions like NixOS create a per-process user to services like frigate. Often, secrets in the run directory are then given on per-process basis. Coincidentally, this means that the read capabilities of the
/run/secrets
folder is reserved for root only. Instead, the access pattern is such that services read their corresponding environment variables directly from the folder, such as/run/secrets/FRIGATE_JWT_SECRET
.To address this issue, the listing logic should be removed. This seems to make little sense anyway since the file is read directly later anyway: if the file does not exist, the read should fail.
Without this change, frigate process on NixOS and distributions with similar secret management logic will run into a Python crash on startup, because frigate tries to scan secrets it should not have access to.
The text was updated successfully, but these errors were encountered: