diff options
author | Aaron Andersen <aaron@fosslib.net> | 2020-04-11 19:58:24 -0400 |
---|---|---|
committer | Aaron Andersen <aaron@fosslib.net> | 2020-04-21 20:33:18 -0400 |
commit | 20f37a443089628fb7fd9d5f941bdabbdd4fecc2 (patch) | |
tree | c72d01ba3bc6baaf0a7f8a3c86ff8659ca1e95ad /nixos/modules/services/web-servers | |
parent | d3a41f3c23b5f7b88613f57d6c7f6b86d662df55 (diff) | |
download | nixlib-20f37a443089628fb7fd9d5f941bdabbdd4fecc2.tar nixlib-20f37a443089628fb7fd9d5f941bdabbdd4fecc2.tar.gz nixlib-20f37a443089628fb7fd9d5f941bdabbdd4fecc2.tar.bz2 nixlib-20f37a443089628fb7fd9d5f941bdabbdd4fecc2.tar.lz nixlib-20f37a443089628fb7fd9d5f941bdabbdd4fecc2.tar.xz nixlib-20f37a443089628fb7fd9d5f941bdabbdd4fecc2.tar.zst nixlib-20f37a443089628fb7fd9d5f941bdabbdd4fecc2.zip |
nixos/httpd: run as non root user
Diffstat (limited to 'nixos/modules/services/web-servers')
-rw-r--r-- | nixos/modules/services/web-servers/apache-httpd/default.nix | 13 |
1 files changed, 10 insertions, 3 deletions
diff --git a/nixos/modules/services/web-servers/apache-httpd/default.nix b/nixos/modules/services/web-servers/apache-httpd/default.nix index 832c8b30ee9d..1094ed93e68c 100644 --- a/nixos/modules/services/web-servers/apache-httpd/default.nix +++ b/nixos/modules/services/web-servers/apache-httpd/default.nix @@ -453,7 +453,13 @@ in type = types.str; default = "wwwrun"; description = '' - User account under which httpd runs. + User account under which httpd children processes run. + + If you require the main httpd process to run as + <literal>root</literal> add the following configuration: + <programlisting> + systemd.services.httpd.serviceConfig.User = lib.mkForce "root"; + </programlisting> ''; }; @@ -461,7 +467,7 @@ in type = types.str; default = "wwwrun"; description = '' - Group under which httpd runs. + Group under which httpd children processes run. ''; }; @@ -724,7 +730,7 @@ in ExecStart = "@${pkg}/bin/httpd httpd -f ${httpdConf}"; ExecStop = "${pkg}/bin/httpd -f ${httpdConf} -k graceful-stop"; ExecReload = "${pkg}/bin/httpd -f ${httpdConf} -k graceful"; - User = "root"; + User = cfg.user; Group = cfg.group; Type = "forking"; PIDFile = "${runtimeDir}/httpd.pid"; @@ -732,6 +738,7 @@ in RestartSec = "5s"; RuntimeDirectory = "httpd httpd/runtime"; RuntimeDirectoryMode = "0750"; + AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; }; }; |