diff options
| author | Thomas Strobel <ts468@cam.ac.uk> | 2015-09-10 18:04:04 +0200 |
|---|---|---|
| committer | Thomas Strobel <ts468@cam.ac.uk> | 2015-09-10 18:11:40 +0200 |
| commit | 8db7c14e5632cb139ecdb0eeceaabddc9f00d7a8 (patch) | |
| tree | b82c5c88aa2e66d3455af50a918c165c88c90f42 | |
| parent | 13e2d2245e390c2460f840404d70ec67acdfb241 (diff) | |
| download | nixlib-8db7c14e5632cb139ecdb0eeceaabddc9f00d7a8.tar nixlib-8db7c14e5632cb139ecdb0eeceaabddc9f00d7a8.tar.gz nixlib-8db7c14e5632cb139ecdb0eeceaabddc9f00d7a8.tar.bz2 nixlib-8db7c14e5632cb139ecdb0eeceaabddc9f00d7a8.tar.lz nixlib-8db7c14e5632cb139ecdb0eeceaabddc9f00d7a8.tar.xz nixlib-8db7c14e5632cb139ecdb0eeceaabddc9f00d7a8.tar.zst nixlib-8db7c14e5632cb139ecdb0eeceaabddc9f00d7a8.zip | |
namecoind nixos module: security enhancements
| -rw-r--r-- | nixos/modules/misc/ids.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/services/networking/namecoind.nix | 24 |
2 files changed, 24 insertions, 2 deletions
diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index 8ee92f695b46..0d7b1c4f222f 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -437,7 +437,7 @@ riak = 205; #shout = 206; #unused gateone = 207; - #namecoin = 208; #unused + namecoin = 208; # When adding a gid, make sure it doesn't match an existing # uid. Users and groups with the same name should have equal diff --git a/nixos/modules/services/networking/namecoind.nix b/nixos/modules/services/networking/namecoind.nix index 4851abc47481..83fc1ec66679 100644 --- a/nixos/modules/services/networking/namecoind.nix +++ b/nixos/modules/services/networking/namecoind.nix @@ -45,7 +45,8 @@ in type = types.path; example = "/etc/namecoin/wallet.dat"; description = '' - Wallet file. + Wallet file. The ownership of the file has to be + namecoin:namecoin, and the permissions must be 0640. ''; }; @@ -61,6 +62,8 @@ in USER=namecoin PASSWORD=secret </literal> + The ownership of the file has to be namecoin:namecoin, + and the permissions must be 0640. ''; }; @@ -107,10 +110,29 @@ in createHome = true; }; + users.extraGroups = singleton + { name = "namecoin"; + gid = config.ids.gids.namecoin; + }; + systemd.services.namecoind = { description = "Namecoind Daemon"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; + preStart = '' + if [ "$(stat --printf '%u' ${cfg.userFile})" != "${toString config.ids.uids.namecoin}" \ + -o "$(stat --printf '%g' ${cfg.userFile})" != "${toString config.ids.gids.namecoin}" \ + -o "$(stat --printf '%a' ${cfg.userFile})" != "640" ]; then + echo "ERROR: bad ownership or rights on ${cfg.userFile}" >&2 + exit 1 + fi + if [ "$(stat --printf '%u' ${cfg.wallet})" != "${toString config.ids.uids.namecoin}" \ + -o "$(stat --printf '%g' ${cfg.wallet})" != "${toString config.ids.gids.namecoin}" \ + -o "$(stat --printf '%a' ${cfg.wallet})" != "640" ]; then + echo "ERROR: bad ownership or rights on ${cfg.wallet}" >&2 + exit 1 + fi + ''; serviceConfig = { Type = "simple"; User = "namecoin"; |