From 50d6e93dc8ce18c22f01989a92390ff21000191f Mon Sep 17 00:00:00 2001 From: danbst Date: Thu, 26 Dec 2019 14:16:29 +0200 Subject: [PATCH] nixos/nginx: fixup permissions for Nginx state dir The commit b0bbacb52134a7e731e549f4c0a7a2a39ca6b481 was a bit too fast It did set executable bit for log files. Also, it didn't account for other directories in state dir: ``` # ls -la /var/spool/nginx/ total 32 drwxr-x--- 8 nginx nginx 4096 Dec 26 12:00 . drwxr-xr-x 4 root root 4096 Oct 10 20:24 .. drwx------ 2 root root 4096 Oct 10 20:24 client_body_temp drwx------ 2 root root 4096 Oct 10 20:24 fastcgi_temp drwxr-x--- 2 nginx nginx 4096 Dec 26 12:00 logs drwx------ 2 root root 4096 Oct 10 20:24 proxy_temp drwx------ 2 root root 4096 Oct 10 20:24 scgi_temp drwx------ 2 root root 4096 Oct 10 20:24 uwsgi_temp ``` With proposed change, only ownership is changed for state files, and mode is left as is except that statedir/logs is now group accessible. --- nixos/modules/services/web-servers/nginx/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index 7a597163e61e..ada7a25604c4 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -671,7 +671,7 @@ in systemd.tmpfiles.rules = [ "d '${cfg.stateDir}' 0750 ${cfg.user} ${cfg.group} - -" "d '${cfg.stateDir}/logs' 0750 ${cfg.user} ${cfg.group} - -" - "Z '${cfg.stateDir}/logs' 0750 ${cfg.user} ${cfg.group} - -" + "Z '${cfg.stateDir}' - ${cfg.user} ${cfg.group} - -" ]; systemd.services.nginx = {