pyrox.dev / nixpkgs
lol
fork atom

namecoind nixos module: security enhancements

Thomas Strobel 8db7c14e 13e2d224

+24 -2
unified split
+1 -1
nixos/modules/misc/ids.nix
··· 437 437 riak = 205; 438 438 #shout = 206; #unused 439 439 gateone = 207; 440 - #namecoin = 208; #unused 440 + namecoin = 208; 441 441 442 442 # When adding a gid, make sure it doesn't match an existing 443 443 # uid. Users and groups with the same name should have equal
+23 -1
nixos/modules/services/networking/namecoind.nix
··· 45 45 type = types.path; 46 46 example = "/etc/namecoin/wallet.dat"; 47 47 description = '' 48 - Wallet file. 48 + Wallet file. The ownership of the file has to be 49 + namecoin:namecoin, and the permissions must be 0640. 49 50 ''; 50 51 }; 51 52 ··· 61 62 USER=namecoin 62 63 PASSWORD=secret 63 64 </literal> 65 + The ownership of the file has to be namecoin:namecoin, 66 + and the permissions must be 0640. 64 67 ''; 65 68 }; 66 69 ··· 107 110 createHome = true; 108 111 }; 109 112 113 + users.extraGroups = singleton 114 + { name = "namecoin"; 115 + gid = config.ids.gids.namecoin; 116 + }; 117 + 110 118 systemd.services.namecoind = { 111 119 description = "Namecoind Daemon"; 112 120 after = [ "network.target" ]; 113 121 wantedBy = [ "multi-user.target" ]; 122 + preStart = '' 123 + if [ "$(stat --printf '%u' ${cfg.userFile})" != "${toString config.ids.uids.namecoin}" \ 124 + -o "$(stat --printf '%g' ${cfg.userFile})" != "${toString config.ids.gids.namecoin}" \ 125 + -o "$(stat --printf '%a' ${cfg.userFile})" != "640" ]; then 126 + echo "ERROR: bad ownership or rights on ${cfg.userFile}" >&2 127 + exit 1 128 + fi 129 + if [ "$(stat --printf '%u' ${cfg.wallet})" != "${toString config.ids.uids.namecoin}" \ 130 + -o "$(stat --printf '%g' ${cfg.wallet})" != "${toString config.ids.gids.namecoin}" \ 131 + -o "$(stat --printf '%a' ${cfg.wallet})" != "640" ]; then 132 + echo "ERROR: bad ownership or rights on ${cfg.wallet}" >&2 133 + exit 1 134 + fi 135 + ''; 114 136 serviceConfig = { 115 137 Type = "simple"; 116 138 User = "namecoin";