diff options
author | Niklas Hambüchen <mail@nh2.me> | 2020-11-08 16:58:58 +0100 |
---|---|---|
committer | Niklas Hambüchen <mail@nh2.me> | 2020-11-08 17:03:07 +0100 |
commit | 2f845dccbf525cbf79ac64629e9eb932f56dc86f (patch) | |
tree | f03f70c92a559e19f2fc00e0bd58d65ccedf813d /nixos/doc | |
parent | 34ad166a830d3ac1541dcce571c52231f2f0865a (diff) |
manual: nginx: Mention ProtectHome in release notes. See #85567.
See https://github.com/NixOS/nixpkgs/pull/85567#pullrequestreview-525820684
Diffstat (limited to 'nixos/doc')
-rw-r--r-- | nixos/doc/manual/release-notes/rl-2009.xml | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2009.xml b/nixos/doc/manual/release-notes/rl-2009.xml index 01f113198eb92..5845cc48c545f 100644 --- a/nixos/doc/manual/release-notes/rl-2009.xml +++ b/nixos/doc/manual/release-notes/rl-2009.xml @@ -885,6 +885,17 @@ php.override { systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www" ]; </programlisting> </para> + <para> + Nginx is also started with the systemd option <literal>ProtectHome = mkDefault true;</literal> + which forbids it to read anything from <literal>/home</literal>, <literal>/root</literal> + and <literal>/run/user</literal> (see + <link xlink:href="https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectHome=">ProtectHome docs</link> + for details). + If you require serving files from home directories, you may choose to set e.g. +<programlisting> +systemd.services.nginx.serviceConfig.ProtectHome = "read-only"; +</programlisting> + </para> </listitem> <listitem> <para> |