From ef3386d983752be71e63faf49e1bc0092d697fe3 Mon Sep 17 00:00:00 2001 From: Daniel Frank Date: Sat, 7 Sep 2019 00:48:56 +0200 Subject: [PATCH] roundcube: recreate the session key on any restart of the install service, which includes any reboot --- roundcube.nix | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/roundcube.nix b/roundcube.nix index 990aadf..364c526 100644 --- a/roundcube.nix +++ b/roundcube.nix @@ -95,13 +95,13 @@ in mkdir -p ${config.variables.roundcubeDataDir}/temp ${config.variables.roundcubeDataDir}/logs chown -Rc ${config.variables.roundcubeUser} ${config.variables.roundcubeDataDir} chmod -c 700 ${config.variables.roundcubeDataDir} - if [ ! -s "${config.variables.roundcubeDataDir}/des_key" ]; then - ${pkgs.coreutils}/bin/dd if=/dev/urandom bs=32 count=1 2>/dev/null | ${pkgs.coreutils}/bin/base64 > "${config.variables.roundcubeDataDir}/des_key" - chown -c "${config.variables.roundcubeUser}":root "${config.variables.roundcubeDataDir}/des_key" - chmod -c 400 "${config.variables.roundcubeDataDir}/des_key" - fi + # Regenerate the key every now and then. This invalidates all sessions, but during reboot should be good enough. + [ -f "${config.variables.roundcubeDataDir}/des_key" ] && ${pkgs.coreutils}/bin/shred "${config.variables.roundcubeDataDir}/des_key" + ${pkgs.coreutils}/bin/dd if=/dev/urandom bs=32 count=1 2>/dev/null | ${pkgs.coreutils}/bin/base64 > "${config.variables.roundcubeDataDir}/des_key" + chown -c "${config.variables.roundcubeUser}":root "${config.variables.roundcubeDataDir}/des_key" + chmod -c 400 "${config.variables.roundcubeDataDir}/des_key" if [ -s "${config.variables.roundcubeDataDir}/roundcube.sqlite" ]; then - # Just go ahead and remove the sessions on a boot + # Just go ahead and remove the sessions, the key to decrypt them has just been destroyed anyway. ${pkgs.sqlite}/bin/sqlite3 "${config.variables.roundcubeDataDir}/roundcube.sqlite" "DELETE FROM session;" fi '';