diff --git a/pkgs/tools/system/netdata/default.nix b/pkgs/tools/system/netdata/default.nix index 673d29d61aa1..25d0366ef715 100644 --- a/pkgs/tools/system/netdata/default.nix +++ b/pkgs/tools/system/netdata/default.nix @@ -42,6 +42,11 @@ in stdenv.mkDerivation rec { # required to prevent plugins from relying on /etc # and /var ./no-files-in-etc-and-var.patch + # The current IPC location is unsafe as it writes + # a fixed path in /tmp, which is world-writable. + # Therefore we put it into `/run/netdata`, which is owned + # by netdata only. + ./ipc-socket-in-run.patch ]; NIX_CFLAGS_COMPILE = optionalString withDebug "-O1 -ggdb -DNETDATA_INTERNAL_CHECKS=1"; diff --git a/pkgs/tools/system/netdata/ipc-socket-in-run.patch b/pkgs/tools/system/netdata/ipc-socket-in-run.patch new file mode 100644 index 000000000000..a117955af095 --- /dev/null +++ b/pkgs/tools/system/netdata/ipc-socket-in-run.patch @@ -0,0 +1,13 @@ +diff --git a/daemon/commands.h b/daemon/commands.h +index bd4aabfe1cbe4..ce7eb3c730228 100644 +--- a/daemon/commands.h ++++ b/daemon/commands.h +@@ -6,7 +6,7 @@ + #ifdef _WIN32 + # define PIPENAME "\\\\?\\pipe\\netdata-cli" + #else +-# define PIPENAME "/tmp/netdata-ipc" ++# define PIPENAME "/run/netdata/ipc" + #endif + + #define MAX_COMMAND_LENGTH 4096