nixos/geoip-updater: run as user 'geoip' instead of 'nobody'
That way 'nobody' is prevented from messing with the databases.
This commit is contained in:
parent
900fc49013
commit
d4e5bb34b7
@ -287,6 +287,7 @@
|
|||||||
pdns-recursor = 269;
|
pdns-recursor = 269;
|
||||||
kresd = 270;
|
kresd = 270;
|
||||||
rpc = 271;
|
rpc = 271;
|
||||||
|
geoip = 272;
|
||||||
|
|
||||||
# When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399!
|
# When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399!
|
||||||
|
|
||||||
@ -543,6 +544,7 @@
|
|||||||
gogs = 268;
|
gogs = 268;
|
||||||
kresd = 270;
|
kresd = 270;
|
||||||
#rpc = 271; # unused
|
#rpc = 271; # unused
|
||||||
|
#geoip = 272; # unused
|
||||||
|
|
||||||
# When adding a gid, make sure it doesn't match an existing
|
# When adding a gid, make sure it doesn't match an existing
|
||||||
# uid. Users and groups with the same name should have equal
|
# uid. Users and groups with the same name should have equal
|
||||||
|
@ -251,6 +251,12 @@ in
|
|||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
|
||||||
|
users.extraUsers.geoip = {
|
||||||
|
group = "root";
|
||||||
|
description = "GeoIP database updater";
|
||||||
|
uid = config.ids.uids.geoip;
|
||||||
|
};
|
||||||
|
|
||||||
systemd.timers.geoip-updater =
|
systemd.timers.geoip-updater =
|
||||||
{ description = "GeoIP Updater Timer";
|
{ description = "GeoIP Updater Timer";
|
||||||
partOf = [ "geoip-updater.service" ];
|
partOf = [ "geoip-updater.service" ];
|
||||||
@ -267,11 +273,11 @@ in
|
|||||||
preStart = ''
|
preStart = ''
|
||||||
mkdir -p "${cfg.databaseDir}"
|
mkdir -p "${cfg.databaseDir}"
|
||||||
chmod 755 "${cfg.databaseDir}"
|
chmod 755 "${cfg.databaseDir}"
|
||||||
chown nobody:root "${cfg.databaseDir}"
|
chown geoip:root "${cfg.databaseDir}"
|
||||||
'';
|
'';
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
ExecStart = "${geoip-updater}/bin/geoip-updater";
|
ExecStart = "${geoip-updater}/bin/geoip-updater";
|
||||||
User = "nobody";
|
User = "geoip";
|
||||||
PermissionsStartOnly = true;
|
PermissionsStartOnly = true;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
@ -285,11 +291,11 @@ in
|
|||||||
preStart = ''
|
preStart = ''
|
||||||
mkdir -p "${cfg.databaseDir}"
|
mkdir -p "${cfg.databaseDir}"
|
||||||
chmod 755 "${cfg.databaseDir}"
|
chmod 755 "${cfg.databaseDir}"
|
||||||
chown nobody:root "${cfg.databaseDir}"
|
chown geoip:root "${cfg.databaseDir}"
|
||||||
'';
|
'';
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
ExecStart = "${geoip-updater}/bin/geoip-updater --skip-existing";
|
ExecStart = "${geoip-updater}/bin/geoip-updater --skip-existing";
|
||||||
User = "nobody";
|
User = "geoip";
|
||||||
PermissionsStartOnly = true;
|
PermissionsStartOnly = true;
|
||||||
# So it won't be (needlessly) restarted:
|
# So it won't be (needlessly) restarted:
|
||||||
RemainAfterExit = true;
|
RemainAfterExit = true;
|
||||||
|
Loading…
Reference in New Issue
Block a user