BoomMicrophone/nixpkgs-suyu
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

rmilter/rspamd service: tighten unix socket permissions

Browse source
This commit is contained in:
Franz Pletz 2017-03-17 23:01:24 +01:00
parent 8ab2d2ee27
commit 00239ce8e9
No known key found for this signature in database
GPG key ID: 846FDED7792617B4
2 changed files with 12 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
nixos/modules/services/mail/rmilter.nix
View file

@ -5,6 +5,7 @@ with lib;
let
rspamdCfg = config.services.rspamd;
postfixCfg = config.services.postfix;
cfg = config.services.rmilter;
inetSocket = addr: port: "inet:[${toString port}@${addr}]";
@ -219,7 +220,7 @@ in
PermissionsStartOnly = true;
Restart = "always";
RuntimeDirectory = "rmilter";
RuntimeDirectoryMode = "0755";
RuntimeDirectoryMode = "0750";
};
};
@ -231,16 +232,18 @@ in
ListenStream = systemdSocket;
SocketUser = cfg.user;
SocketGroup = cfg.group;
SocketMode = "0666";
SocketMode = "0660";
};
};
})
(mkIf (cfg.enable && cfg.rspamd.enable && rspamdCfg.enable) {
users.extraUsers.${cfg.user}.extraGroups = [ rspamdCfg.group ];
})
(mkIf (cfg.enable && cfg.postfix.enable) {
services.postfix.extraConfig = cfg.postfix.configFragment;
users.users.postfix.extraGroups = [ cfg.group ];
users.extraUsers.${postfixCfg.user}.extraGroups = [ cfg.group ];
})
];
}

5
nixos/modules/services/mail/rspamd.nix
View file

@ -53,8 +53,11 @@ in
bindSocket = mkOption {
type = types.listOf types.str;
default = [
"/run/rspamd/rspamd.sock mode=0666 owner=${cfg.user}"
"/run/rspamd/rspamd.sock mode=0660 owner=${cfg.user} group=${cfg.group}"
];
defaultText = ''[
"/run/rspamd/rspamd.sock mode=0660 owner=${cfg.user} group=${cfg.group}"
]'';
description = ''
List of sockets to listen, in format acceptable by rspamd
'';