nixos/geoip-updater: run as user 'geoip' instead of 'nobody'

pyrox.dev / nixpkgs

fork atom

lol

fork atom

That way 'nobody' is prevented from messing with the databases.

Bjørn Forsman 9 years ago d4e5bb34 900fc490

+12 -4

2 changed files

expand all

unified split

nixos

modules

misc

ids.nix

services

misc

geoip-updater.nix

nixos/modules/misc/ids.nix

··· 287 pdns-recursor = 269; 288 kresd = 270; 289 rpc = 271; 290 291 # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399! 292 ··· 543 gogs = 268; 544 kresd = 270; 545 #rpc = 271; # unused 546 547 # When adding a gid, make sure it doesn't match an existing 548 # uid. Users and groups with the same name should have equal

··· 287 pdns-recursor = 269; 288 kresd = 270; 289 rpc = 271; 290 + geoip = 272; 291 292 # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399! 293 ··· 544 gogs = 268; 545 kresd = 270; 546 #rpc = 271; # unused 547 + #geoip = 272; # unused 548 549 # When adding a gid, make sure it doesn't match an existing 550 # uid. Users and groups with the same name should have equal

+10 -4

nixos/modules/services/misc/geoip-updater.nix

··· 251 } 252 ]; 253 254 systemd.timers.geoip-updater = 255 { description = "GeoIP Updater Timer"; 256 partOf = [ "geoip-updater.service" ]; ··· 267 preStart = '' 268 mkdir -p "${cfg.databaseDir}" 269 chmod 755 "${cfg.databaseDir}" 270 - chown nobody:root "${cfg.databaseDir}" 271 ''; 272 serviceConfig = { 273 ExecStart = "${geoip-updater}/bin/geoip-updater"; 274 - User = "nobody"; 275 PermissionsStartOnly = true; 276 }; 277 }; ··· 285 preStart = '' 286 mkdir -p "${cfg.databaseDir}" 287 chmod 755 "${cfg.databaseDir}" 288 - chown nobody:root "${cfg.databaseDir}" 289 ''; 290 serviceConfig = { 291 ExecStart = "${geoip-updater}/bin/geoip-updater --skip-existing"; 292 - User = "nobody"; 293 PermissionsStartOnly = true; 294 # So it won't be (needlessly) restarted: 295 RemainAfterExit = true;

··· 251 } 252 ]; 253 254 + users.extraUsers.geoip = { 255 + group = "root"; 256 + description = "GeoIP database updater"; 257 + uid = config.ids.uids.geoip; 258 + }; 259 + 260 systemd.timers.geoip-updater = 261 { description = "GeoIP Updater Timer"; 262 partOf = [ "geoip-updater.service" ]; ··· 273 preStart = '' 274 mkdir -p "${cfg.databaseDir}" 275 chmod 755 "${cfg.databaseDir}" 276 + chown geoip:root "${cfg.databaseDir}" 277 ''; 278 serviceConfig = { 279 ExecStart = "${geoip-updater}/bin/geoip-updater"; 280 + User = "geoip"; 281 PermissionsStartOnly = true; 282 }; 283 }; ··· 291 preStart = '' 292 mkdir -p "${cfg.databaseDir}" 293 chmod 755 "${cfg.databaseDir}" 294 + chown geoip:root "${cfg.databaseDir}" 295 ''; 296 serviceConfig = { 297 ExecStart = "${geoip-updater}/bin/geoip-updater --skip-existing"; 298 + User = "geoip"; 299 PermissionsStartOnly = true; 300 # So it won't be (needlessly) restarted: 301 RemainAfterExit = true;