Skip to content

Comments

fix: systemd mitigations#711

Open
Manuthor wants to merge 11 commits intodevelopfrom
fix/systemd_mitigations
Open

fix: systemd mitigations#711
Manuthor wants to merge 11 commits intodevelopfrom
fix/systemd_mitigations

Conversation

@Manuthor
Copy link
Contributor

Closes #710

@Manuthor Manuthor force-pushed the fix/systemd_mitigations branch from 2094255 to df1010c Compare February 14, 2026 07:33
@Manuthor Manuthor force-pushed the fix/systemd_mitigations branch from df1010c to 003deb3 Compare February 16, 2026 12:05
@Manuthor Manuthor force-pushed the fix/systemd_mitigations branch from a011b8c to c064695 Compare February 19, 2026 16:33
When a volume bind-mount targets /etc/cosmian/kms.toml and the parent
directory does not exist in the image, Docker creates the mount-point as
a directory instead of a file.  The KMS server was using Path::exists()
to detect config files, which returns true for directories, causing a
fatal "Is a directory" error when it tried to read_to_string the path.

Two complementary fixes:
- clap_config.rs: replace exists() with is_file() for all three config
  path checks (-c/--config, COSMIAN_KMS_CONF, default path).  A path
  that exists but is not a regular file now emits a clear warning and
  falls through rather than crashing.
- docker.nix: pre-create /etc/cosmian/ in fakeRootCommands so Docker
  bind-mounts of config files land as regular files in the container.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

→ Overall exposure level for cosmian_kms.service: 9.6 UNSAFE 😨

1 participant