diff options
| author | Frederik Rietdijk <freddyrietdijk@fridh.nl> | 2017-08-24 20:47:52 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2017-08-24 20:47:52 +0200 |
| commit | 31ba3649ec1e6973eadaa40fe6bd42861901b3e0 (patch) | |
| tree | 1491635482d2495ad1cf0bf2f294f8eb8715dabb /nixos/modules | |
| parent | 77404dbf37838dfc6b8a10d8c7298d813481705f (diff) | |
| parent | 69a4836df5f586468755d4897cba02fc40dac24e (diff) | |
| download | nixlib-31ba3649ec1e6973eadaa40fe6bd42861901b3e0.tar nixlib-31ba3649ec1e6973eadaa40fe6bd42861901b3e0.tar.gz nixlib-31ba3649ec1e6973eadaa40fe6bd42861901b3e0.tar.bz2 nixlib-31ba3649ec1e6973eadaa40fe6bd42861901b3e0.tar.lz nixlib-31ba3649ec1e6973eadaa40fe6bd42861901b3e0.tar.xz nixlib-31ba3649ec1e6973eadaa40fe6bd42861901b3e0.tar.zst nixlib-31ba3649ec1e6973eadaa40fe6bd42861901b3e0.zip | |
Merge pull request #28189 from Nadrieril/ffsync-non-root
firefox syncserver service: run as non-root user by default
Diffstat (limited to 'nixos/modules')
| -rw-r--r-- | nixos/modules/services/networking/firefox/sync-server.nix | 52 |
1 files changed, 49 insertions, 3 deletions
diff --git a/nixos/modules/services/networking/firefox/sync-server.nix b/nixos/modules/services/networking/firefox/sync-server.nix index c1a14931429a..a9f3fd65d76b 100644 --- a/nixos/modules/services/networking/firefox/sync-server.nix +++ b/nixos/modules/services/networking/firefox/sync-server.nix @@ -4,6 +4,10 @@ with lib; let cfg = config.services.firefox.syncserver; + + defaultDbLocation = "/var/db/firefox-sync-server/firefox-sync-server.db"; + defaultSqlUri = "sqlite:///${defaultDbLocation}"; + syncServerIni = pkgs.writeText "syncserver.ini" '' [DEFAULT] overrides = ${cfg.privateConfig} @@ -25,6 +29,7 @@ let backend = tokenserver.verifiers.LocalVerifier audiences = ${removeSuffix "/" cfg.publicUrl} ''; + in { @@ -65,6 +70,18 @@ in ''; }; + user = mkOption { + type = types.str; + default = "syncserver"; + description = "User account under which syncserver runs."; + }; + + group = mkOption { + type = types.str; + default = "syncserver"; + description = "Group account under which syncserver runs."; + }; + publicUrl = mkOption { type = types.str; default = "http://localhost:5000/"; @@ -85,7 +102,7 @@ in sqlUri = mkOption { type = types.str; - default = "sqlite:////var/db/firefox-sync-server.db"; + default = defaultSqlUri; example = "postgresql://scott:tiger@localhost/test"; description = '' The location of the database. This URL is composed of @@ -126,16 +143,45 @@ in description = "Firefox Sync Server"; wantedBy = [ "multi-user.target" ]; path = [ pkgs.coreutils syncServerEnv ]; + + serviceConfig = { + User = cfg.user; + Group = cfg.group; + PermissionsStartOnly = true; + }; + preStart = '' if ! test -e ${cfg.privateConfig}; then - umask u=rwx,g=x,o=x - mkdir -p $(dirname ${cfg.privateConfig}) + mkdir -m 700 -p $(dirname ${cfg.privateConfig}) echo > ${cfg.privateConfig} '[syncserver]' echo >> ${cfg.privateConfig} "secret = $(head -c 20 /dev/urandom | sha1sum | tr -d ' -')" fi + chown ${cfg.user}:${cfg.group} ${cfg.privateConfig} + '' + optionalString (cfg.sqlUri == defaultSqlUri) '' + if ! test -e $(dirname ${defaultDbLocation}); then + mkdir -m 700 -p $(dirname ${defaultDbLocation}) + chown ${cfg.user}:${cfg.group} $(dirname ${defaultDbLocation}) + fi + # Move previous database file if it exists + oldDb="/var/db/firefox-sync-server.db" + if test -f $oldDb; then + mv $oldDb ${defaultDbLocation} + chown ${cfg.user}:${cfg.group} ${defaultDbLocation} + fi ''; serviceConfig.ExecStart = "${syncServerEnv}/bin/paster serve ${syncServerIni}"; }; + users.extraUsers = optionalAttrs (cfg.user == "syncserver") + (singleton { + name = "syncserver"; + group = cfg.group; + isSystemUser = true; + }); + + users.extraGroups = optionalAttrs (cfg.group == "syncserver") + (singleton { + name = "syncserver"; + }); }; } |