diff options
author | pacien <pacien.trangirard@pacien.net> | 2023-06-05 20:04:48 +0200 |
---|---|---|
committer | pacien <pacien.trangirard@pacien.net> | 2023-06-05 20:04:48 +0200 |
commit | 54be076ae77da1f45fbc6c88419657f828e6237e (patch) | |
tree | 64f74d75a7ddc72e0cd31b4a7ab2157df5f9cc58 /nixos/modules/services/mail | |
parent | 09720cc41f0dad446f119e3a6259c640d4b33003 (diff) | |
download | nixlib-54be076ae77da1f45fbc6c88419657f828e6237e.tar nixlib-54be076ae77da1f45fbc6c88419657f828e6237e.tar.gz nixlib-54be076ae77da1f45fbc6c88419657f828e6237e.tar.bz2 nixlib-54be076ae77da1f45fbc6c88419657f828e6237e.tar.lz nixlib-54be076ae77da1f45fbc6c88419657f828e6237e.tar.xz nixlib-54be076ae77da1f45fbc6c88419657f828e6237e.tar.zst nixlib-54be076ae77da1f45fbc6c88419657f828e6237e.zip |
nixos/exim: apply privilege restrictions
Since 816614bd62b, the service is set to use the exim user so that systemd takes care of the credentials ownership. The executable is still required to run as root, to then drop privileges. The prefix '+' that was used however interfers with the use of privilege restrictions and other sandboxing options. Since we only want to escape the "User" setting, we can use the '!' prefix instead.
Diffstat (limited to 'nixos/modules/services/mail')
-rw-r--r-- | nixos/modules/services/mail/exim.nix | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/nixos/modules/services/mail/exim.nix b/nixos/modules/services/mail/exim.nix index a9504acee351..1d1258913b67 100644 --- a/nixos/modules/services/mail/exim.nix +++ b/nixos/modules/services/mail/exim.nix @@ -116,8 +116,8 @@ in wantedBy = [ "multi-user.target" ]; restartTriggers = [ config.environment.etc."exim.conf".source ]; serviceConfig = { - ExecStart = "+${cfg.package}/bin/exim -bdf -q${cfg.queueRunnerInterval}"; - ExecReload = "+${coreutils}/bin/kill -HUP $MAINPID"; + ExecStart = "!${cfg.package}/bin/exim -bdf -q${cfg.queueRunnerInterval}"; + ExecReload = "!${coreutils}/bin/kill -HUP $MAINPID"; User = cfg.user; }; preStart = '' |