diff options
author | Niklas Hambüchen <mail@nh2.me> | 2020-04-11 02:57:15 +0200 |
---|---|---|
committer | Niklas Hambüchen <mail@nh2.me> | 2020-04-11 02:57:15 +0200 |
commit | ba50a7a3f1cca2ce189da1069a672fa72927bd94 (patch) | |
tree | 4fc2180389ecb643684d5cda36abddff3d39c077 /nixos/doc/manual | |
parent | 5bca1a7664f1769678b2dd8ad0976581a86cda0a (diff) | |
download | nixlib-ba50a7a3f1cca2ce189da1069a672fa72927bd94.tar nixlib-ba50a7a3f1cca2ce189da1069a672fa72927bd94.tar.gz nixlib-ba50a7a3f1cca2ce189da1069a672fa72927bd94.tar.bz2 nixlib-ba50a7a3f1cca2ce189da1069a672fa72927bd94.tar.lz nixlib-ba50a7a3f1cca2ce189da1069a672fa72927bd94.tar.xz nixlib-ba50a7a3f1cca2ce189da1069a672fa72927bd94.tar.zst nixlib-ba50a7a3f1cca2ce189da1069a672fa72927bd94.zip |
release notes: Explain how to run nginx master as root. Fixes #84391
Diffstat (limited to 'nixos/doc/manual')
-rw-r--r-- | nixos/doc/manual/release-notes/rl-2003.xml | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2003.xml b/nixos/doc/manual/release-notes/rl-2003.xml index f09fb3255d84..28990517da84 100644 --- a/nixos/doc/manual/release-notes/rl-2003.xml +++ b/nixos/doc/manual/release-notes/rl-2003.xml @@ -809,7 +809,8 @@ auth required pam_succeed_if.so uid >= 1000 quiet <listitem> <para> The nginx web server previously started its master process as root - privileged, then ran worker processes as a less privileged identity user. + privileged, then ran worker processes as a less privileged identity user + (the <literal>nginx</literal> user). This was changed to start all of nginx as a less privileged user (defined by <literal>services.nginx.user</literal> and <literal>services.nginx.group</literal>). As a consequence, all files that @@ -817,6 +818,13 @@ auth required pam_succeed_if.so uid >= 1000 quiet certificates and keys, etc.) must now be readable by this less privileged user/group. </para> + <para> + To continue to use the old approach, you can configure: + <programlisting> +services.nginx.appendConfig = let cfg = config.services.nginx; in ''user ${cfg.user} ${cfg.group};''; +systemd.services.nginx.serviceConfig.User = lib.mkForce "root"; + </programlisting> + </para> </listitem> <listitem> <para> |