From 2a413da57efc4c2009c984c63def8e9060771269 Mon Sep 17 00:00:00 2001
From: Izorkin <izorkin@elven.pw>
Date: Thu, 30 May 2019 14:11:56 +0300
Subject: nixos/nginx: do not run anything as root

---
 nixos/doc/manual/release-notes/rl-2003.xml | 12 ++++++++++++
 1 file changed, 12 insertions(+)

(limited to 'nixos/doc/manual/release-notes/rl-2003.xml')

diff --git a/nixos/doc/manual/release-notes/rl-2003.xml b/nixos/doc/manual/release-notes/rl-2003.xml
index 579b8d5374448..55bd88ba85098 100644
--- a/nixos/doc/manual/release-notes/rl-2003.xml
+++ b/nixos/doc/manual/release-notes/rl-2003.xml
@@ -249,6 +249,18 @@
    <listitem>
      <para>SD images are now compressed by default using <literal>bzip2</literal>.</para>
    </listitem>
+   <listitem>
+    <para>
+     The nginx web server previously started its master process as root
+     privileged, then ran worker processes as a less privileged identity user.
+     This was changed to start all of nginx as a less privileged user (defined by
+     <literal>services.nginx.user</literal> and
+     <literal>services.nginx.group</literal>). As a consequence, all files that
+     are needed for nginx to run (included configuration fragments, SSL
+     certificates and keys, etc.) must now be readable by this less privileged
+     user/group.
+    </para>
+   </listitem>
    <listitem>
     <para>
      OpenSSH has been upgraded from 7.9 to 8.1, improving security and adding features
-- 
cgit 1.4.1