diff options
author | Markus Kowalewski <markus.kowalewski@gmail.com> | 2018-11-06 21:59:29 +0100 |
---|---|---|
committer | Markus Kowalewski <markus.kowalewski@gmail.com> | 2018-11-06 21:59:29 +0100 |
commit | a0371d476115a8fab54186664c9cca3d19e9537f (patch) | |
tree | db3d24306e8d508fe680852f890cd3e893df74c8 /nixos | |
parent | 0d30f7b02307e39d0544022a03b450a1679ed068 (diff) | |
download | nixlib-a0371d476115a8fab54186664c9cca3d19e9537f.tar nixlib-a0371d476115a8fab54186664c9cca3d19e9537f.tar.gz nixlib-a0371d476115a8fab54186664c9cca3d19e9537f.tar.bz2 nixlib-a0371d476115a8fab54186664c9cca3d19e9537f.tar.lz nixlib-a0371d476115a8fab54186664c9cca3d19e9537f.tar.xz nixlib-a0371d476115a8fab54186664c9cca3d19e9537f.tar.zst nixlib-a0371d476115a8fab54186664c9cca3d19e9537f.zip |
nixos/postgresqlBackup: set to umask to 0077
* Ensure that the backup file is only readable by the owner * Add file permission test to tests
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/services/backup/postgresql-backup.nix | 2 | ||||
-rw-r--r-- | nixos/tests/postgresql.nix | 1 |
2 files changed, 3 insertions, 0 deletions
diff --git a/nixos/modules/services/backup/postgresql-backup.nix b/nixos/modules/services/backup/postgresql-backup.nix index 2ec78ce6f2cf..f9f9568faa5c 100644 --- a/nixos/modules/services/backup/postgresql-backup.nix +++ b/nixos/modules/services/backup/postgresql-backup.nix @@ -20,6 +20,8 @@ let ''; script = '' + umask 0077 # ensure backup is only readable by postgres user + if [ -e ${cfg.location}/${db}.sql.gz ]; then ${pkgs.coreutils}/bin/mv ${cfg.location}/${db}.sql.gz ${cfg.location}/${db}.prev.sql.gz fi diff --git a/nixos/tests/postgresql.nix b/nixos/tests/postgresql.nix index f1f09277f342..d2ea0aa899f8 100644 --- a/nixos/tests/postgresql.nix +++ b/nixos/tests/postgresql.nix @@ -53,6 +53,7 @@ let # Check backup service $machine->succeed("systemctl start postgresqlBackup-postgres.service"); $machine->succeed("zcat /var/backup/postgresql/postgres.sql.gz | grep '<test>ok</test>'"); + $machine->succeed("stat -c '%a' /var/backup/postgresql/postgres.sql.gz | grep 600"); $machine->shutdown; ''; |