Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BUG: rm: refusing to remove '.' or '..' directory: skipping '/run/scalpel/. #1

Open
kai-tub opened this issue Oct 30, 2022 · 4 comments
Open

BUG: rm: refusing to remove '.' or '..' directory: skipping '/run/scalpel/. #1

kai-tub opened this issue Oct 30, 2022 · 4 comments

Comments

@kai-tub
Copy link

kai-tub commented Oct 30, 2022

Hey, thank you very much for providing a way to customize configuration files that require some sops-managed passwords!
This is exactly what I've been looking for! ❤️
Though, I am having some issues and am relatively new to NixOS so sorry for not being able to provide a minimal example.

  1. When I execute the container there is no issue
  2. But when I call it via my flake configuration, I get the following issues:
rm: refusing to remove '.' or '..' directory: skipping '/run/scalpel/.`
rm: refusing to remove '.' or '..' directory: skipping '/run/scalpel/..`
Activation script snippet 'scalpelCreateStore' failed (1)

Looking at the code, the issue seems to come from

scalpel/modules/scalpel/default.nix

Lines 113 to 124 in 16c2103

config = mkIf (cfg.trafos != { }) {
system.activationScripts.scalpelCreateStore = {
text = ''
echo "[scalpel] Ensuring existance of ${cfg.secretsDir}"
mkdir -p ${cfg.secretsDir}
grep -q "${cfg.secretsDir} ramfs" /proc/mounts || mount -t ramfs none "${cfg.secretsDir}" -o nodev,nosuid,mode=0751
echo "[scalpel] Clearing old secrets from ${cfg.secretsDir}"
rm -rf ${cfg.secretsDir}/{*,.*}
'';
deps = [ "specialfs" ];
};

Where the shell is safeguarding recursively deleting . and ..

I've cloned this repository and changed it to:

system.activationScripts.scalpelCreateStore = { 
       text = '' 
         echo "[scalpel] Ensuring existance of ${cfg.secretsDir}" 
         mkdir -p ${cfg.secretsDir} 
         grep -q "${cfg.secretsDir} ramfs" /proc/mounts || mount -t ramfs none "${cfg.secretsDir}" -o nodev,nosuid,mode=0751 
  
         echo "[scalpel] Clearing old secrets from ${cfg.secretsDir}" 
         find . -name . -o -prune -exec rm -rf -- {} +
       ''; 
       deps = [ "specialfs" ]; 
     };

With inspiration from: https://unix.stackexchange.com/a/77313

Which allowed me to run the flake without any issues. :)
I would be happy to open a PR if you think this change would fix it.
ndarwincorn added a commit to ndarwincorn/scalpel that referenced this issue Nov 27, 2022
@ndarwincorn
Correct forbidden rm
6ab08ad 
polygon#1
@ThinkChaos
Copy link

I don't use scalpel, but don't use this as is, it'll nuke your system!

The find command should be: find '${cfg.secretsDir}' -name . -o -prune -exec rm -rf -- {} +
Which I think is equivalent to: rm -rf "$(ls --almost-all '${cfg.secretsDir}')"

@ahbnr
Copy link

ahbnr commented Jan 9, 2023
edited

I don't use scalpel, but don't use this as is, it'll nuke your system!

to be clear, I think this is only the case for the code suggested at the top of this issue and the fork automatically linked above by GitHub which we discussed here: ndarwincorn@6ab08ad#commitcomment-95094918

But be careful in any case

@polygon
Copy link
Owner

polygon commented Jan 9, 2023

Sorry, I must have missed this when it was posted. I'll have a look at it. Thanks for the contribution.

@kai-tub
Copy link
Author

kai-tub commented Jan 9, 2023

Wow, yeah that is a pretty bad mistake I made 😰
Sorry for that!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@polygon @ThinkChaos @ahbnr @kai-tub