diff options
author | emilylange <git@emilylange.de> | 2024-03-10 18:39:43 +0100 |
---|---|---|
committer | Bjørn Forsman <bjorn.forsman@gmail.com> | 2024-03-11 17:34:29 +0100 |
commit | 08c37ba89950cd10f4eaf6a10f7c8593bee6efb8 (patch) | |
tree | 2cecf2c038a9464b0418d78219f39c83ce76bfa8 /nixos/modules/services/databases/lldap.nix | |
parent | 750188995011edd7798e09cb2969d357f7111579 (diff) |
nixos/lldap: set service `UMask=0027` and `StateDirectoryMode=0750`
While `/var/lib/lldap` isn't technically accessible by unprivileged users thanks to `DynamicUser=true`, a user might prefer and change it to `DynamicUser=false`. There is currently also a PR open that intends to make `DynamicUser` configurable via module option. As such, `jwt_secret_file`, if bootstrapped by the service start procedure, might be rendered world-readable due to its permissions (`0644/-rw-r--r--`) defaulting to the service's umask (`022`) and `/var/lib/lldap` to `0755/drwxr-xr-x` due to `StateDirectoryMode=0755`. This would usually be fixed by using `(umask 027; openssl ...)` instead of just `openssl ...`. However, it was found that another file (`users.db`), this time bootstrapped by `lldap` itself, also had insufficient permissions (`0644/-rw-r--r--`) inherited by the global umask and would be left world-readable as well. Due to this, we instead change the service's to `027`. And to lower the impact for already bootstrapped files on existing instances like `users.db`, set `StateDirectoryMode=0750`.
Diffstat (limited to 'nixos/modules/services/databases/lldap.nix')
-rw-r--r-- | nixos/modules/services/databases/lldap.nix | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/nixos/modules/services/databases/lldap.nix b/nixos/modules/services/databases/lldap.nix index 68374425449f1..033de7af886f2 100644 --- a/nixos/modules/services/databases/lldap.nix +++ b/nixos/modules/services/databases/lldap.nix @@ -123,7 +123,9 @@ in ''; serviceConfig = { StateDirectory = "lldap"; + StateDirectoryMode = "0750"; WorkingDirectory = "%S/lldap"; + UMask = "0027"; User = "lldap"; Group = "lldap"; DynamicUser = true; |