mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-12-15 18:23:09 +00:00
08c37ba899
While `/var/lib/lldap` isn't technically accessible by unprivileged users thanks to `DynamicUser=true`, a user might prefer and change it to `DynamicUser=false`. There is currently also a PR open that intends to make `DynamicUser` configurable via module option. As such, `jwt_secret_file`, if bootstrapped by the service start procedure, might be rendered world-readable due to its permissions (`0644/-rw-r--r--`) defaulting to the service's umask (`022`) and `/var/lib/lldap` to `0755/drwxr-xr-x` due to `StateDirectoryMode=0755`. This would usually be fixed by using `(umask 027; openssl ...)` instead of just `openssl ...`. However, it was found that another file (`users.db`), this time bootstrapped by `lldap` itself, also had insufficient permissions (`0644/-rw-r--r--`) inherited by the global umask and would be left world-readable as well. Due to this, we instead change the service's to `027`. And to lower the impact for already bootstrapped files on existing instances like `users.db`, set `StateDirectoryMode=0750`. |
||
|---|---|---|
| .. | ||
| aerospike.nix | ||
| cassandra.nix | ||
| clickhouse.nix | ||
| cockroachdb.nix | ||
| couchdb.nix | ||
| dgraph.nix | ||
| dragonflydb.nix | ||
| etcd.nix | ||
| ferretdb.nix | ||
| firebird.nix | ||
| foundationdb.md | ||
| foundationdb.nix | ||
| hbase-standalone.nix | ||
| influxdb2.nix | ||
| influxdb.nix | ||
| lldap.nix | ||
| memcached.nix | ||
| monetdb.nix | ||
| mongodb.nix | ||
| mysql.nix | ||
| neo4j.nix | ||
| openldap.nix | ||
| opentsdb.nix | ||
| pgbouncer.nix | ||
| pgmanage.nix | ||
| postgresql.md | ||
| postgresql.nix | ||
| redis.nix | ||
| rethinkdb.nix | ||
| surrealdb.nix | ||
| tigerbeetle.md | ||
| tigerbeetle.nix | ||
| victoriametrics.nix | ||