scalpel icon indicating copy to clipboard operation
scalpel copied to clipboard

Published 20 hours ago verified publisher icon polygon

BUG: `rm: refusing to remove '.' or '..' directory: skipping '/run/scalpel/.`

Open kai-tub opened this issue 3 years ago • 4 comments

Hey, thank you very much for providing a way to customize configuration files that require some sops-managed passwords! This is exactly what I've been looking for! :heart: Though, I am having some issues and am relatively new to NixOS so sorry for not being able to provide a minimal example.

  1. When I execute the container there is no issue
  2. But when I call it via my flake configuration, I get the following issues:
rm: refusing to remove '.' or '..' directory: skipping '/run/scalpel/.`
rm: refusing to remove '.' or '..' directory: skipping '/run/scalpel/..`
Activation script snippet 'scalpelCreateStore' failed (1)

Looking at the code, the issue seems to come from

https://github.com/polygon/scalpel/blob/16c2103d613bb1c7adc6dbf2a17c2980ce08567f/modules/scalpel/default.nix#L113-L124

Where the shell is safeguarding recursively deleting . and ..

I've cloned this repository and changed it to:

system.activationScripts.scalpelCreateStore = { 
       text = '' 
         echo "[scalpel] Ensuring existance of ${cfg.secretsDir}" 
         mkdir -p ${cfg.secretsDir} 
         grep -q "${cfg.secretsDir} ramfs" /proc/mounts || mount -t ramfs none "${cfg.secretsDir}" -o nodev,nosuid,mode=0751 
  
         echo "[scalpel] Clearing old secrets from ${cfg.secretsDir}" 
         find . -name . -o -prune -exec rm -rf -- {} +
       ''; 
       deps = [ "specialfs" ]; 
     };

With inspiration from: https://unix.stackexchange.com/a/77313

Which allowed me to run the flake without any issues. :) I would be happy to open a PR if you think this change would fix it.

kai-tub avatar Oct 30 '22 16:10 kai-tub

I don't use scalpel, but don't use this as is, it'll nuke your system!

The find command should be: find '${cfg.secretsDir}' -name . -o -prune -exec rm -rf -- {} +
Which I think is equivalent to: rm -rf "$(ls --almost-all '${cfg.secretsDir}')"

ThinkChaos avatar Jan 09 '23 17:01 ThinkChaos

I don't use scalpel, but don't use this as is, it'll nuke your system!

to be clear, I think this is only the case for the code suggested at the top of this issue and the fork automatically linked above by GitHub which we discussed here: https://github.com/ndarwincorn/scalpel/commit/6ab08ad635fd25be8cb9113d7a4971861f66ed54#commitcomment-95094918

But be careful in any case

ahbnr avatar Jan 09 '23 17:01 ahbnr

Sorry, I must have missed this when it was posted. I'll have a look at it. Thanks for the contribution.

polygon avatar Jan 09 '23 18:01 polygon

Wow, yeah that is a pretty bad mistake I made :cold_sweat: Sorry for that!

kai-tub avatar Jan 09 '23 19:01 kai-tub