Merge pull request #73886 from flokli/phpfpm-privatetmp

nixos/phpfpm: enable PrivateTmp=true

nixos/doc/manual/release-notes/rl-2003.xml

@@ -163,6 +163,14 @@
      time during the releases development (if viable).
     </para>
    </listitem>
+   <listitem>
+    <para>
+      The <link linkend="opt-services.phpfpm.pools">phpfpm</link> module now sets
+      <literal>PrivateTmp=true</literal> in its systemd units for better process isolation.
+      If you rely on <literal>/tmp</literal> being shared with other services, explicitly override this by
+      setting <literal>serviceConfig.PrivateTmp</literal> to <literal>false</literal> for each phpfpm unit.
+    </para>
+   </listitem>
   </itemizedlist>
  </section>
 

nixos/modules/services/web-servers/phpfpm/default.nix

@@ -262,6 +262,7 @@ in {
         in {
           Slice = "phpfpm.slice";
           PrivateDevices = true;
+          PrivateTmp = true;
           ProtectSystem = "full";
           ProtectHome = true;
           # XXX: We need AF_NETLINK to make the sendmail SUID binary from postfix work