* Blackhole the address 169.254.169.254 after we've obtained the user

data to prevent non-root processes from getting the private host key. svn path=/nixos/trunk/; revision=33442
2012-03-27 14:51:08 +00:00 · 2012-03-27 14:51:08 +00:00 · 040042b8a5
commit 040042b8a5
parent 64241a3e90
1 changed files with 7 additions and 1 deletions
--- a/modules/virtualisation/ec2-data.nix
+++ b/modules/virtualisation/ec2-data.nix
@ -15,10 +15,12 @@ with pkgs.lib;

      task = true;

-      path = [ pkgs.curl ];
+      path = [ pkgs.curl pkgs.iproute ];

      script =
        ''
+          ip route del blackhole 169.254.169.254/32 || true
+          
          curl="curl --retry 3 --retry-delay 0 --fail"
        
          echo "setting host name..."
@ -53,6 +55,10 @@ with pkgs.lib;
              (umask 077; echo "$key" > /etc/ssh/ssh_host_dsa_key)
              echo "$key_pub" > /etc/ssh/ssh_host_dsa_key.pub
          fi
+
+          # Since the user data is sensitive, prevent it from being
+          # accessed from now on.
+          ip route add blackhole 169.254.169.254/32
        '';
    };