Hi, I'm running nixos and my 1password-keyringhelper isn't suid. so i get this error [1P:foundation/op-linux/src/bin/keyring_helper.rs:150] keyring helper detected it was not running as root. This could lead to credentials being compromised, aborting! Permissions found: EUID: 1000, EGID: 100 I tried security.wrappers security.wrappers = { "1Password-KeyringHelper" = { source = "${pkgs._1password-gui.out}/share/1password/1Password-KeyringHelper"; setuid = true; group = "onepassword"; }; }; neither worked 1Password Version: Not Provided Extension Version: Not Provided OS Version: Nixos master Sync Type: Not Provided

Hey, @auscyber . This is a realm that I know I still need to research. My understanding was that, to support things like security.wrappers, I would need to make some changes to the derivation file itself. Unfortunately, the NixOS filesystem may make it very difficult to support this feature. :frown: Even with the setuid bit, recent security audits have prompted us to tighten up things like file paths and ownership of more than just the 1Password executable. This makes me very unhappy, but it is very hard to verify the identity of any application on Linux, and we really don't want to have rogue processes just making a connection to an open 1Password session. I'm not giving up at all, though. I run 1Password on a NixOS machine, and really miss the browser integration there.

pkgs.buildFHSUserEnv could work

That's my guess, too. While it won't make it into the update that I need to send to Nixpkgs for 8.1.1, I'll try to prioritize it for our next stable release. I really like the feature and miss it on my NixOS machine.

Hey, I also tried to get 1Password with Keyring-Helper/System Authentication (have working fingerprinter with sudo/i3lock/i3lock-color) and Browser-Support working. I have another issue now where I don't know what to do: Running just the Keyring-Helper e.g.: INFO 2021-07-19T20:36:34.911 main(ThreadId(1)) [1P:foundation/op-linux/src/bin/keyring_helper.rs:144] initalizing keyring helper WARN 2021-07-19T20:36:35.180 main(ThreadId(1)) [1P:foundation/op-sys-info/src/process_verification.rs:124] binary permission verification failed for /nix/store/6krkl5ka31qd8ll1801w5z32cbm6k838-1password-8.1.2-10.BETA/share/1password/1Password-KeyringHelper2 ERROR 2021-07-19T20:36:35.182 main(ThreadId(1)) [1P:foundation/op-linux/src/bin/keyring_helper.rs:174] failed to verify keyring helper process permissions, aborting: BinaryPermissions More infos, nix-code and full log of 1Password-start in PR: https://github.com/NixOS/nixpkgs/pull/130652 Hope you can help me/us to solve this and bring full-featured 1password to one more distribution :+1: Best Regards

Hi, @SebTM. Thank you for building that module, as it got me over a significant hurdle in just approaching this problem. I've pulled your branch and am able to reproduce this on my machine, too. Nothing is wrong with your module or the derivation (that I can see, so far, if we make progress we may find more problems...). Our executable verification process figures out the exact file path of the running process and checks the permissions on the file itself. I can see now where and why we're failing, and it looks like we didn't consider the possibility that write permission would be globally disabled. I'm getting a new build and will try it out.

Keyring isn't suid on nixos | 1Password Community

52 Replies

AliH1P
1Password Team
3 years ago
Hey @SebTM, I apologize for our delayed response here. We greatly appreciate all the details you've provided. I'll pass this along to the relevant team 👍

Ali
Former Member
3 years ago
@tobiasvd Thanks for the great feedback, I appreciate it :)

AliH1P @Savanni Ping still relevant!
Former Member
3 years ago
Just wanted to express my gratitude for 1Password being available on NixOS, with browser support, which I did not expect at all tbh. You guys are awesome :)

For people new to NixOS like me arriving at this topic:

Install 1password as a system package using https://search.nixos.org/options?channel=22.11&show=programs._1password-gui.enable&from=0&size=50&sort=relevance&type=packages&query=1password. One can set the package to the beta version if desired (just add '-beta'). With just that, browser support already works (I did a reboot, not sure if that's required).

Keep up the great work!
Former Member
3 years ago
Ping?
Former Member
3 years ago
small reminder ;)
Former Member
3 years ago
Hey @Savanni,

did you have time to look into ( https://1password.community/discussion/comment/635755/#Comment_635755 ) again/forward the request as suggestion/feature request? :)

Best Wishes
Former Member
3 years ago
Hey @Savanni,

did you have time to look into (https://1password.community/discussion/comment/635755/#Comment_635755) again/forward the request to the PO/Devs as suggestion/feature request? :)

Best Wishes
Former Member
4 years ago
A followup after random finding: Something GUI/pinentry-based like would be very nice ;) - https://github.com/StanfordSNR/guardian-agent
Former Member
4 years ago
Hey @Savanni, I'm pleased to help :)

Something to add up:

I'm currently trying to re-automate my backup-workflow (Vorta => Borg), to be not disrupted for every backup (currently hourly). I got it working to use "polkit.lookup" to get the "polkit.message" but somehow it's an issue to work with the (string?) result (of action.lookup) non of the documented javascript-functions is working:

polkit.log(action.lookup("polkit.message").indexOf("python")); polkit.log(action.lookup("polkit.message").includes("python")); polkit.log(action.lookup("polkit.message").search(/python/)); polkit.log((/python/.test(action.lookup("polkit.message")));

Polkit seems to segfault (with each of this approaches - single tested):
polkit.service: Main process exited, code=dumped, status=11/SEGV polkit.service: Failed with result 'core-dump'.

https://gist.github.com/grawity/3886114?permalink_comment_id=4125345#gistcomment-4125345
https://wiki.archlinux.org/title/Polkit
https://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html

It would be very helpful and appreciated if you could add an additional parameter "program" (like shown in the polkit-docs - freedesktop-link above) so the user can easily decide in a rule if he want's to e.g. generally permit the key access.

Currently I can match against the whole text which is kind of ugly:
polkit.addRule(function(action, subject) { if ( action.id == "com.1password.1Password.authorizeSshAgent" && action.lookup("polkit.message") == "1Password is trying to allow \“Vorta\” to use the key \“Backup SSH-Key\” for SSH" && subject.isInGroup("auto-backup") ) { polkit.log("Sucess Rule: \"Backup XXX\""); return polkit.Result.YES; } });
and in case of the timed (automated) backup will break after each python-upgrade:
1Password is trying to allow “/nix/store/9px00aaqzb6n5p03i9wd8rx3msg95y9r-python3-3.9.11/bin/python3.9” to use the key “Personal SSH-Key” for SSH
(Would be cool if this/another value could be stripped from the path)

Best Wishes :v:

Post edited by staff to remove possible sensitive information.
Former Member
4 years ago
Wow, @SebTM thank you for this writeup! There's a lot in here for me to absorb and digest.

Forum Discussion

Keyring isn't suid on nixos

52 Replies

Recent Discussions

1Password Popup won't Open up

Side Scroll Bar Overlapped by other UI Element

[rbcroyalbank.com] Unable to fill login credentials

macOS Tahoe, 1P nightly, and Apple Watch

Linux desktop client crashes on startup