Sovran_Systems/Sovran_SystemsOS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix security warning reappearing after every reboot

Browse Source 
Add two early-exit checks in sovran-legacy-security-check before the
legacy fallthrough block:
1. Exit if /var/lib/sovran/onboarding-complete exists (Hub onboarding done)
2. Exit if /var/lib/secrets/free-password exists and is not "free" (password changed)

This prevents the boot-time service from overwriting the security-status
file that /api/change-password clears after a successful password change.

Agent-Logs-Url: https://github.com/naturallaw777/staging_alpha/sessions/c18311e4-609d-4edf-a2a1-a018baede373

Co-authored-by: naturallaw777 <99053422+naturallaw777@users.noreply.github.com>
This commit is contained in:
copilot-swe-agent[bot]
2026-04-07 18:26:54 +00:00
committed by GitHub
parent 72453c80bf
commit 5a27b79b51
1 changed files with 9 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
modules/core/factory-seal.nix
View File

@@ -116,6 +116,15 @@ EOF
exit 0 exit 0
fi fi
# If the user completed Hub onboarding, they've addressed security
[ -f /var/lib/sovran/onboarding-complete ] && exit 0
# If the free password has been changed from the factory default, no warning needed
if [ -f /var/lib/secrets/free-password ]; then
CURRENT=$(cat /var/lib/secrets/free-password)
[ "$CURRENT" != "free" ] && exit 0
fi
# No flags at all + secrets exist = legacy (pre-seal era) machine # No flags at all + secrets exist = legacy (pre-seal era) machine
if [ -f /var/lib/secrets/root-password ]; then if [ -f /var/lib/secrets/root-password ]; then
mkdir -p /var/lib/sovran mkdir -p /var/lib/sovran