talexander/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Releases Activity

nixos/vdirsyncer: only use ProtectHome=yes with DynamicUser=yes

Browse Source 
If a user is given it seems likely that their home directory is accessed.
This commit is contained in:
schnusch 2023-11-29 21:09:21 +01:00
parent cd06d2dd2a
commit bc72dc08f2
2 changed files with 1 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
nixos/modules/services/networking/vdirsyncer.nix
View File

@ -45,6 +45,7 @@ let
} }
// (optionalAttrs (cfg'.user == null) { // (optionalAttrs (cfg'.user == null) {
DynamicUser = true; DynamicUser = true;
ProtectHome = true;
}) })
// (optionalAttrs (cfg'.additionalGroups != [ ]) { // (optionalAttrs (cfg'.additionalGroups != [ ]) {
SupplementaryGroups = cfg'.additionalGroups; SupplementaryGroups = cfg'.additionalGroups;
@ -63,7 +64,6 @@ let
PrivateTmp = true; PrivateTmp = true;
NoNewPrivileges = true; NoNewPrivileges = true;
ProtectSystem = "strict"; ProtectSystem = "strict";
ProtectHome = true;
ProtectKernelTunables = true; ProtectKernelTunables = true;
ProtectKernelModules = true; ProtectKernelModules = true;
ProtectControlGroups = true; ProtectControlGroups = true;

7
nixos/tests/vdirsyncer.nix
View File

@ -217,13 +217,6 @@ import ./make-test-python.nix (
}; };
}; };
# ProtectHome is the default, but we must access our storage
# in ~.
systemd.services = {
"vdirsyncer@alice".serviceConfig.ProtectHome = lib.mkForce false;
"vdirsyncer@bob".serviceConfig.ProtectHome = lib.mkForce false;
};
users.users = { users.users = {
alice.isNormalUser = true; alice.isNormalUser = true;
bob.isNormalUser = true; bob.isNormalUser = true;