nix
/
lib
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Give ExecStartPre root perms. 

Apparently PermissionsStartOnly = false will do that.
This commit is contained in:
niten 2023-09-22 22:25:43 -07:00
parent 7ed8b64466
commit ad5570b7c3
1 changed files with 7 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
lib/fudo/auth/kerberos/kdc.nix
View File

@ -89,7 +89,7 @@ let
MemoryDenyWriteExecute = true;
RestrictRealtime = true;
# LockPersonality = true;
# PermissionsStartOnly = true;
PermissionsStartOnly = false;
LimitNOFILE = 4096;
User = cfg.user;
Group = cfg.group;
@ -97,6 +97,10 @@ let
RestartSec = "5s";
AmbientCapabilities = "CAP_NET_BIND_SERVICE";
SecureBits = "keep-caps";
ExecStartPre = ''
chown ${cfg.user}:${cfg.group} ${cfg.kdc.database}
chown ${cfg.user}:${cfg.group} ${cfg.state-directory}/kerberos.log
'';
ExecStart = let
ips = if (cfg.kdc.bind-addresses != [ ]) then
cfg.kdc.bind-addresses
@ -210,8 +214,8 @@ let
# ${convertCmd}
# ls $RUNTIME_DIRECTORY
# '';
ExecStartPre = let
dumpScript = (concatStringsSep " " [
ExecStartPre = pkgs.writeShellScript "kdc-prepare-hprop-dump.sh"
(concatStringsSep " " [
"${pkgs.heimdal}/bin/kadmin"
"--local"
"--config-file=${kdcConf}"
@ -220,12 +224,6 @@ let
"--format=Heimdal"
"${staging-db}"
]);
in pkgs.writeShellScript "kdc-prepare-hprop-dump.sh" ''
chown ${cfg.user}:${cfg.group} ${staging-db}
chown ${cfg.user}:${cfg.group} ${cfg.kdc.database}
chown ${cfg.user}:${cfg.group} ${cfg.kdc.state-directory}/kerberos.log
${dumpScript}
'';
ExecStart = pkgs.writeShellScript "kdc-hprop.sh"
(concatStringsSep " " ([