nixos/exim: apply privilege restrictions · pyrox.dev/nixpkgs@54be076

lol

nixos/exim: apply privilege restrictions

Since 816614bd62b, the service is set to use the exim user so that
systemd takes care of the credentials ownership. The executable is
still required to run as root, to then drop privileges. The prefix '+'
that was used however interfers with the use of privilege restrictions
and other sandboxing options. Since we only want to escape the "User"
setting, we can use the '!' prefix instead.

pacien 2 years ago 54be076a 09720cc4

+2 -2

1 changed file

expand all

nixos

modules

services

mail

exim.nix

+2 -2

nixos/modules/services/mail/exim.nix

··· 116 116 wantedBy = [ "multi-user.target" ]; 117 117 restartTriggers = [ config.environment.etc."exim.conf".source ]; 118 118 serviceConfig = { 119 - ExecStart = "+${cfg.package}/bin/exim -bdf -q${cfg.queueRunnerInterval}"; 120 - ExecReload = "+${coreutils}/bin/kill -HUP $MAINPID"; 119 + ExecStart = "!${cfg.package}/bin/exim -bdf -q${cfg.queueRunnerInterval}"; 120 + ExecReload = "!${coreutils}/bin/kill -HUP $MAINPID"; 121 121 User = cfg.user; 122 122 }; 123 123 preStart = ''