Merge pull request #103147 from nh2/nginx-sandbox-protecthome-release-notes
manual: nginx: Mention ProtectHome in release notes. See #85567
This commit is contained in:
commit
1c460c0a5c
1 changed files with 12 additions and 1 deletions
|
@ -879,12 +879,23 @@ php.override {
|
|||
<listitem>
|
||||
<para>
|
||||
Nginx web server now starting with additional sandbox/hardening options. By default, write access
|
||||
to <literal>services.nginx.stateDir</literal> is allowed. To allow writing to other folders,
|
||||
to <literal>/var/log/nginx</literal> and <literal>/var/cache/nginx</literal> is allowed. To allow writing to other folders,
|
||||
use <literal>systemd.services.nginx.serviceConfig.ReadWritePaths</literal>
|
||||
<programlisting>
|
||||
systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www" ];
|
||||
</programlisting>
|
||||
</para>
|
||||
<para>
|
||||
Nginx is also started with the systemd option <literal>ProtectHome = mkDefault true;</literal>
|
||||
which forbids it to read anything from <literal>/home</literal>, <literal>/root</literal>
|
||||
and <literal>/run/user</literal> (see
|
||||
<link xlink:href="https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectHome=">ProtectHome docs</link>
|
||||
for details).
|
||||
If you require serving files from home directories, you may choose to set e.g.
|
||||
<programlisting>
|
||||
systemd.services.nginx.serviceConfig.ProtectHome = "read-only";
|
||||
</programlisting>
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
|
|
Loading…
Reference in a new issue