diff options
| author | Thomas Strobel <ts468@cam.ac.uk> | 2015-09-10 18:04:04 +0200 |
|---|---|---|
| committer | Thomas Strobel <ts468@cam.ac.uk> | 2015-09-10 18:11:40 +0200 |
| commit | 8db7c14e5632cb139ecdb0eeceaabddc9f00d7a8 (patch) | |
| tree | b82c5c88aa2e66d3455af50a918c165c88c90f42 /nixos/modules/services/networking | |
| parent | 13e2d2245e390c2460f840404d70ec67acdfb241 (diff) | |
| download | nixlib-8db7c14e5632cb139ecdb0eeceaabddc9f00d7a8.tar nixlib-8db7c14e5632cb139ecdb0eeceaabddc9f00d7a8.tar.gz nixlib-8db7c14e5632cb139ecdb0eeceaabddc9f00d7a8.tar.bz2 nixlib-8db7c14e5632cb139ecdb0eeceaabddc9f00d7a8.tar.lz nixlib-8db7c14e5632cb139ecdb0eeceaabddc9f00d7a8.tar.xz nixlib-8db7c14e5632cb139ecdb0eeceaabddc9f00d7a8.tar.zst nixlib-8db7c14e5632cb139ecdb0eeceaabddc9f00d7a8.zip | |
namecoind nixos module: security enhancements
Diffstat (limited to 'nixos/modules/services/networking')
| -rw-r--r-- | nixos/modules/services/networking/namecoind.nix | 24 |
1 files changed, 23 insertions, 1 deletions
diff --git a/nixos/modules/services/networking/namecoind.nix b/nixos/modules/services/networking/namecoind.nix index 4851abc47481..83fc1ec66679 100644 --- a/nixos/modules/services/networking/namecoind.nix +++ b/nixos/modules/services/networking/namecoind.nix @@ -45,7 +45,8 @@ in type = types.path; example = "/etc/namecoin/wallet.dat"; description = '' - Wallet file. + Wallet file. The ownership of the file has to be + namecoin:namecoin, and the permissions must be 0640. ''; }; @@ -61,6 +62,8 @@ in USER=namecoin PASSWORD=secret </literal> + The ownership of the file has to be namecoin:namecoin, + and the permissions must be 0640. ''; }; @@ -107,10 +110,29 @@ in createHome = true; }; + users.extraGroups = singleton + { name = "namecoin"; + gid = config.ids.gids.namecoin; + }; + systemd.services.namecoind = { description = "Namecoind Daemon"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; + preStart = '' + if [ "$(stat --printf '%u' ${cfg.userFile})" != "${toString config.ids.uids.namecoin}" \ + -o "$(stat --printf '%g' ${cfg.userFile})" != "${toString config.ids.gids.namecoin}" \ + -o "$(stat --printf '%a' ${cfg.userFile})" != "640" ]; then + echo "ERROR: bad ownership or rights on ${cfg.userFile}" >&2 + exit 1 + fi + if [ "$(stat --printf '%u' ${cfg.wallet})" != "${toString config.ids.uids.namecoin}" \ + -o "$(stat --printf '%g' ${cfg.wallet})" != "${toString config.ids.gids.namecoin}" \ + -o "$(stat --printf '%a' ${cfg.wallet})" != "640" ]; then + echo "ERROR: bad ownership or rights on ${cfg.wallet}" >&2 + exit 1 + fi + ''; serviceConfig = { Type = "simple"; User = "namecoin"; |