commit 31ba3649ec1e6973eadaa40fe6bd42861901b3e0 · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

fork atom

Merge pull request #28189 from Nadrieril/ffsync-non-root

firefox syncserver service: run as non-root user by default

authored by Frederik Rietdijk and committed by GitHub 8 years ago 31ba3649 77404dbf

+57 -3

2 changed files

expand all

unified split

nixos

doc

manual

release-notes

rl-1709.xml

modules

services

networking

firefox

sync-server.nix

nixos/doc/manual/release-notes/rl-1709.xml

··· 154 154 variables as parameters. 155 155 </para> 156 156 </listitem> 157 + <listitem> 158 + <para> 159 + <literal>services.firefox.syncserver</literal> now runs by default as a 160 + non-root user. To accomodate this change, the default sqlite database 161 + location has also been changed. Migration should work automatically. 162 + Refer to the description of the options for more details. 163 + </para> 164 + </listitem> 157 165 </itemizedlist> 158 166 159 167 <para>Other notable improvements:</para>

+49 -3

nixos/modules/services/networking/firefox/sync-server.nix

··· 4 4 5 5 let 6 6 cfg = config.services.firefox.syncserver; 7 + 8 + defaultDbLocation = "/var/db/firefox-sync-server/firefox-sync-server.db"; 9 + defaultSqlUri = "sqlite:///${defaultDbLocation}"; 10 + 7 11 syncServerIni = pkgs.writeText "syncserver.ini" '' 8 12 [DEFAULT] 9 13 overrides = ${cfg.privateConfig} ··· 25 29 backend = tokenserver.verifiers.LocalVerifier 26 30 audiences = ${removeSuffix "/" cfg.publicUrl} 27 31 ''; 32 + 28 33 in 29 34 30 35 { ··· 65 70 ''; 66 71 }; 67 72 73 + user = mkOption { 74 + type = types.str; 75 + default = "syncserver"; 76 + description = "User account under which syncserver runs."; 77 + }; 78 + 79 + group = mkOption { 80 + type = types.str; 81 + default = "syncserver"; 82 + description = "Group account under which syncserver runs."; 83 + }; 84 + 68 85 publicUrl = mkOption { 69 86 type = types.str; 70 87 default = "http://localhost:5000/"; ··· 85 102 86 103 sqlUri = mkOption { 87 104 type = types.str; 88 - default = "sqlite:////var/db/firefox-sync-server.db"; 105 + default = defaultSqlUri; 89 106 example = "postgresql://scott:tiger@localhost/test"; 90 107 description = '' 91 108 The location of the database. This URL is composed of ··· 126 143 description = "Firefox Sync Server"; 127 144 wantedBy = [ "multi-user.target" ]; 128 145 path = [ pkgs.coreutils syncServerEnv ]; 146 + 147 + serviceConfig = { 148 + User = cfg.user; 149 + Group = cfg.group; 150 + PermissionsStartOnly = true; 151 + }; 152 + 129 153 preStart = '' 130 154 if ! test -e ${cfg.privateConfig}; then 131 - umask u=rwx,g=x,o=x 132 - mkdir -p $(dirname ${cfg.privateConfig}) 155 + mkdir -m 700 -p $(dirname ${cfg.privateConfig}) 133 156 echo > ${cfg.privateConfig} '[syncserver]' 134 157 echo >> ${cfg.privateConfig} "secret = $(head -c 20 /dev/urandom | sha1sum | tr -d ' -')" 135 158 fi 159 + chown ${cfg.user}:${cfg.group} ${cfg.privateConfig} 160 + '' + optionalString (cfg.sqlUri == defaultSqlUri) '' 161 + if ! test -e $(dirname ${defaultDbLocation}); then 162 + mkdir -m 700 -p $(dirname ${defaultDbLocation}) 163 + chown ${cfg.user}:${cfg.group} $(dirname ${defaultDbLocation}) 164 + fi 165 + # Move previous database file if it exists 166 + oldDb="/var/db/firefox-sync-server.db" 167 + if test -f $oldDb; then 168 + mv $oldDb ${defaultDbLocation} 169 + chown ${cfg.user}:${cfg.group} ${defaultDbLocation} 170 + fi 136 171 ''; 137 172 serviceConfig.ExecStart = "${syncServerEnv}/bin/paster serve ${syncServerIni}"; 138 173 }; 139 174 175 + users.extraUsers = optionalAttrs (cfg.user == "syncserver") 176 + (singleton { 177 + name = "syncserver"; 178 + group = cfg.group; 179 + isSystemUser = true; 180 + }); 181 + 182 + users.extraGroups = optionalAttrs (cfg.group == "syncserver") 183 + (singleton { 184 + name = "syncserver"; 185 + }); 140 186 }; 141 187 }