sops-nix icon indicating copy to clipboard operation
sops-nix copied to clipboard
verified publisher icon Mic92

Remove `noexec`

Open sebastianrasor opened this issue 1 month ago • 2 comments

I'm opening this issue because I feel like this decision deserves some additional discussion: https://github.com/Mic92/sops-nix/pull/826#issuecomment-3270501814

The way I see it, the addition of noexec was included in this PR the same way an NBA team might throw in an inconsequential player into a trade package to make it slightly more appealing. There's nothing wrong with that, but I think the decision deserves a little bit more discussion which is why I'm opening this issue.

The thing that led me to that PR was me trying to template a script and then execute it directly from the /run/secrets/rendered directory, which would have been the cleanest available option in the systemd service that I was writing. I was able to work around the limitation imposed by noexec by just copying the script into a working directory that wasn't mounted noexec, and I could have also worked around this issue by just calling bash on the location in the original secrets directory directly to interpret the file instead of trying to execute it.

The way I see it is the following:

  • Mounting with noexec provides no substantial benefit in any real way; security, performance, etc. (I'm happy to be corrected in this regard)
  • It was only included as an afterthought
  • It only serves to slightly increase friction when using templates

I think that we should remove the noexec mount option

sebastianrasor avatar Nov 23 '25 20:11 sebastianrasor

Do running scripts prevent us from switching the secrets?

SuperSandro2000 avatar Nov 24 '25 00:11 SuperSandro2000

What intepreter do you put in those secrets? There is no gcroots on that directory, any nix store reference can become stale.

Mic92 avatar Dec 12 '25 15:12 Mic92