Sovran_Systems/Sovran_SystemsOS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: Sovran_Systems:14800ffb1ee524e01ed07a76d10f228373d0bac4
Branches Tags
Sovran_Systems:main Sovran_Systems:staging-dev Sovran_Systems:staging-release-candidate
..
compare: Sovran_Systems:b13fa7dc05f67b8277019aef432ad4ee256db2bb
Branches Tags
Sovran_Systems:staging-dev Sovran_Systems:main Sovran_Systems:staging-release-candidate

4 Commits
14800ffb1e ... b13fa7dc05

Author SHA1 Message Date
Sovran_Systems
b13fa7dc05 Merge pull request #126 from naturallaw777/copilot/fix-security-warning-reappearance 
Fix legacy security warning reappearing on every reboot after password change
 2026-04-07 13:29:32 -05:00
copilot-swe-agent[bot]
069f6c3ec7 Avoid storing password in variable to prevent process listing exposure 
Agent-Logs-Url: https://github.com/naturallaw777/staging_alpha/sessions/c18311e4-609d-4edf-a2a1-a018baede373

Co-authored-by: naturallaw777 <99053422+naturallaw777@users.noreply.github.com>
 2026-04-07 18:27:32 +00:00
copilot-swe-agent[bot]
5a27b79b51 Fix security warning reappearing after every reboot 
Add two early-exit checks in sovran-legacy-security-check before the
legacy fallthrough block:
1. Exit if /var/lib/sovran/onboarding-complete exists (Hub onboarding done)
2. Exit if /var/lib/secrets/free-password exists and is not "free" (password changed)

This prevents the boot-time service from overwriting the security-status
file that /api/change-password clears after a successful password change.

Agent-Logs-Url: https://github.com/naturallaw777/staging_alpha/sessions/c18311e4-609d-4edf-a2a1-a018baede373

Co-authored-by: naturallaw777 <99053422+naturallaw777@users.noreply.github.com>
 2026-04-07 18:26:54 +00:00
copilot-swe-agent[bot]
72453c80bf Initial plan 2026-04-07 18:25:47 +00:00
1 changed files with 8 additions and 0 deletions
Expand all files Collapse all files

8
modules/core/factory-seal.nix
View File

@@ -116,6 +116,14 @@ EOF
exit 0 exit 0
fi fi
# If the user completed Hub onboarding, they've addressed security
[ -f /var/lib/sovran/onboarding-complete ] && exit 0
# If the free password has been changed from the factory default, no warning needed
if [ -f /var/lib/secrets/free-password ]; then
[ "$(cat /var/lib/secrets/free-password)" != "free" ] && exit 0
fi
# No flags at all + secrets exist = legacy (pre-seal era) machine # No flags at all + secrets exist = legacy (pre-seal era) machine
if [ -f /var/lib/secrets/root-password ]; then if [ -f /var/lib/secrets/root-password ]; then
mkdir -p /var/lib/sovran mkdir -p /var/lib/sovran