BoomMicrophone/nixpkgs-suyu
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

* Blackhole the address 169.254.169.254 after we've obtained the user

Browse source 
data to prevent non-root processes from getting the private host
  key.

svn path=/nixos/trunk/; revision=33442
This commit is contained in:
Eelco Dolstra 2012-03-27 14:51:08 +00:00
parent 64241a3e90
commit 040042b8a5
1 changed files with 7 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
modules/virtualisation/ec2-data.nix
View file

@ -15,10 +15,12 @@ with pkgs.lib;
task = true;
path = [ pkgs.curl ];
path = [ pkgs.curl pkgs.iproute ];
script =
''
ip route del blackhole 169.254.169.254/32 || true
curl="curl --retry 3 --retry-delay 0 --fail"
echo "setting host name..."
@ -53,6 +55,10 @@ with pkgs.lib;
(umask 077; echo "$key" > /etc/ssh/ssh_host_dsa_key)
echo "$key_pub" > /etc/ssh/ssh_host_dsa_key.pub
fi
# Since the user data is sensitive, prevent it from being
# accessed from now on.
ip route add blackhole 169.254.169.254/32
'';
};