diff options
author | Bjørn Forsman <bjorn.forsman@gmail.com> | 2017-02-13 22:26:21 +0100 |
---|---|---|
committer | Bjørn Forsman <bjorn.forsman@gmail.com> | 2017-02-15 23:25:27 +0100 |
commit | d4e5bb34b76c98adee1d7fc00440adeb6a2a8c13 (patch) | |
tree | b9ff819b8bc4e124df3ee77f53fde0ea7f1fabf8 /nixos/modules/services/misc | |
parent | 900fc49013c83e39ed7b22260d15a616a939b32e (diff) | |
download | nixlib-d4e5bb34b76c98adee1d7fc00440adeb6a2a8c13.tar nixlib-d4e5bb34b76c98adee1d7fc00440adeb6a2a8c13.tar.gz nixlib-d4e5bb34b76c98adee1d7fc00440adeb6a2a8c13.tar.bz2 nixlib-d4e5bb34b76c98adee1d7fc00440adeb6a2a8c13.tar.lz nixlib-d4e5bb34b76c98adee1d7fc00440adeb6a2a8c13.tar.xz nixlib-d4e5bb34b76c98adee1d7fc00440adeb6a2a8c13.tar.zst nixlib-d4e5bb34b76c98adee1d7fc00440adeb6a2a8c13.zip |
nixos/geoip-updater: run as user 'geoip' instead of 'nobody'
That way 'nobody' is prevented from messing with the databases.
Diffstat (limited to 'nixos/modules/services/misc')
-rw-r--r-- | nixos/modules/services/misc/geoip-updater.nix | 14 |
1 files changed, 10 insertions, 4 deletions
diff --git a/nixos/modules/services/misc/geoip-updater.nix b/nixos/modules/services/misc/geoip-updater.nix index 021ee02782d2..5135fac8f7dc 100644 --- a/nixos/modules/services/misc/geoip-updater.nix +++ b/nixos/modules/services/misc/geoip-updater.nix @@ -251,6 +251,12 @@ in } ]; + users.extraUsers.geoip = { + group = "root"; + description = "GeoIP database updater"; + uid = config.ids.uids.geoip; + }; + systemd.timers.geoip-updater = { description = "GeoIP Updater Timer"; partOf = [ "geoip-updater.service" ]; @@ -267,11 +273,11 @@ in preStart = '' mkdir -p "${cfg.databaseDir}" chmod 755 "${cfg.databaseDir}" - chown nobody:root "${cfg.databaseDir}" + chown geoip:root "${cfg.databaseDir}" ''; serviceConfig = { ExecStart = "${geoip-updater}/bin/geoip-updater"; - User = "nobody"; + User = "geoip"; PermissionsStartOnly = true; }; }; @@ -285,11 +291,11 @@ in preStart = '' mkdir -p "${cfg.databaseDir}" chmod 755 "${cfg.databaseDir}" - chown nobody:root "${cfg.databaseDir}" + chown geoip:root "${cfg.databaseDir}" ''; serviceConfig = { ExecStart = "${geoip-updater}/bin/geoip-updater --skip-existing"; - User = "nobody"; + User = "geoip"; PermissionsStartOnly = true; # So it won't be (needlessly) restarted: RemainAfterExit = true; |