nordic-dev.net/nixpkgs
nordic-dev.net/nixpkgs
2
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-11-28 18:03:04 +00:00
Code Issues Packages Projects Releases Wiki Activity

Use a dedicated user ('named') for BIND instead of running the daemon as super user.

Browse Source
This commit is contained in:
Peter Simons 2012-07-27 00:07:25 +02:00
parent 87ae768665
commit e988324534
2 changed files with 11 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
modules/misc/ids.nix
View File

@ -71,6 +71,7 @@ in
mpd = 50;
clamav = 51;
fprot = 52;
bind = 53;
# When adding a uid, make sure it doesn't match an existing gid.

11
modules/services/networking/bind.nix
View File

@ -6,6 +6,8 @@ let
cfg = config.services.bind;
bindUser = "named";
confFile = pkgs.writeText "named.conf"
''
acl cachenetworks { ${concatMapStrings (entry: " ${entry}; ") cfg.cacheNetworks} };
@ -118,6 +120,12 @@ in
config = mkIf config.services.bind.enable {
users.extraUsers = singleton
{ name = bindUser;
uid = config.ids.uids.bind;
description = "BIND daemon user";
};
jobs.bind =
{ description = "BIND name server job";
@ -126,9 +134,10 @@ in
preStart =
''
${pkgs.coreutils}/bin/mkdir -p /var/run/named
chown ${bindUser} /var/run/named
'';
exec = "${pkgs.bind}/sbin/named ${optionalString cfg.ipv4Only "-4"} -c ${cfg.configFile} -f";
exec = "${pkgs.bind}/sbin/named -u ${bindUser} ${optionalString cfg.ipv4Only "-4"} -c ${cfg.configFile} -f";
};
};