mirror of
https://github.com/NixOS/nixpkgs.git
synced 2025-01-02 19:14:14 +00:00
08c37ba899
While `/var/lib/lldap` isn't technically accessible by unprivileged users thanks to `DynamicUser=true`, a user might prefer and change it to `DynamicUser=false`. There is currently also a PR open that intends to make `DynamicUser` configurable via module option. As such, `jwt_secret_file`, if bootstrapped by the service start procedure, might be rendered world-readable due to its permissions (`0644/-rw-r--r--`) defaulting to the service's umask (`022`) and `/var/lib/lldap` to `0755/drwxr-xr-x` due to `StateDirectoryMode=0755`. This would usually be fixed by using `(umask 027; openssl ...)` instead of just `openssl ...`. However, it was found that another file (`users.db`), this time bootstrapped by `lldap` itself, also had insufficient permissions (`0644/-rw-r--r--`) inherited by the global umask and would be left world-readable as well. Due to this, we instead change the service's to `027`. And to lower the impact for already bootstrapped files on existing instances like `users.db`, set `StateDirectoryMode=0750`. |
||
|---|---|---|
| .. | ||
| config | ||
| hardware | ||
| i18n/input-method | ||
| image | ||
| installer | ||
| misc | ||
| profiles | ||
| programs | ||
| security | ||
| services | ||
| system | ||
| tasks | ||
| testing | ||
| virtualisation | ||
| module-list.nix | ||
| rename.nix | ||