Merge pull request #73886 from flokli/phpfpm-privatetmp
nixos/phpfpm: enable PrivateTmp=true
This commit is contained in:
commit
1a63afd5aa
@ -163,6 +163,14 @@
|
|||||||
time during the releases development (if viable).
|
time during the releases development (if viable).
|
||||||
</para>
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
<listitem>
|
||||||
|
<para>
|
||||||
|
The <link linkend="opt-services.phpfpm.pools">phpfpm</link> module now sets
|
||||||
|
<literal>PrivateTmp=true</literal> in its systemd units for better process isolation.
|
||||||
|
If you rely on <literal>/tmp</literal> being shared with other services, explicitly override this by
|
||||||
|
setting <literal>serviceConfig.PrivateTmp</literal> to <literal>false</literal> for each phpfpm unit.
|
||||||
|
</para>
|
||||||
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
|
@ -262,6 +262,7 @@ in {
|
|||||||
in {
|
in {
|
||||||
Slice = "phpfpm.slice";
|
Slice = "phpfpm.slice";
|
||||||
PrivateDevices = true;
|
PrivateDevices = true;
|
||||||
|
PrivateTmp = true;
|
||||||
ProtectSystem = "full";
|
ProtectSystem = "full";
|
||||||
ProtectHome = true;
|
ProtectHome = true;
|
||||||
# XXX: We need AF_NETLINK to make the sendmail SUID binary from postfix work
|
# XXX: We need AF_NETLINK to make the sendmail SUID binary from postfix work
|
||||||
|
Loading…
Reference in New Issue
Block a user