From 00239ce8e9baeef0ea55fd0995a55e0b15a25ac9 Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Fri, 17 Mar 2017 23:01:24 +0100
Subject: [PATCH] rmilter/rspamd service: tighten unix socket permissions

---
 nixos/modules/services/mail/rmilter.nix | 13 ++++++++-----
 nixos/modules/services/mail/rspamd.nix  |  5 ++++-
 2 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/nixos/modules/services/mail/rmilter.nix b/nixos/modules/services/mail/rmilter.nix
index 3153b1c7912..e17b7516bff 100644
--- a/nixos/modules/services/mail/rmilter.nix
+++ b/nixos/modules/services/mail/rmilter.nix
@@ -5,6 +5,7 @@ with lib;
 let
 
   rspamdCfg = config.services.rspamd;
+  postfixCfg = config.services.postfix;
   cfg = config.services.rmilter;
 
   inetSocket = addr: port: "inet:[${toString port}@${addr}]";
@@ -219,7 +220,7 @@ in
           PermissionsStartOnly = true;
           Restart = "always";
           RuntimeDirectory = "rmilter";
-          RuntimeDirectoryMode = "0755";
+          RuntimeDirectoryMode = "0750";
         };
 
       };
@@ -231,16 +232,18 @@ in
           ListenStream = systemdSocket;
           SocketUser = cfg.user;
           SocketGroup = cfg.group;
-          SocketMode = "0666";
+          SocketMode = "0660";
         };
       };
     })
 
+    (mkIf (cfg.enable && cfg.rspamd.enable && rspamdCfg.enable) {
+      users.extraUsers.${cfg.user}.extraGroups = [ rspamdCfg.group ];
+    })
+
     (mkIf (cfg.enable && cfg.postfix.enable) {
-
       services.postfix.extraConfig = cfg.postfix.configFragment;
-      users.users.postfix.extraGroups = [ cfg.group ];
-
+      users.extraUsers.${postfixCfg.user}.extraGroups = [ cfg.group ];
     })
   ];
 }
diff --git a/nixos/modules/services/mail/rspamd.nix b/nixos/modules/services/mail/rspamd.nix
index 98489df7851..6d403e448e0 100644
--- a/nixos/modules/services/mail/rspamd.nix
+++ b/nixos/modules/services/mail/rspamd.nix
@@ -53,8 +53,11 @@ in
       bindSocket = mkOption {
         type = types.listOf types.str;
         default = [
-          "/run/rspamd/rspamd.sock mode=0666 owner=${cfg.user}"
+          "/run/rspamd/rspamd.sock mode=0660 owner=${cfg.user} group=${cfg.group}"
         ];
+        defaultText = ''[
+          "/run/rspamd/rspamd.sock mode=0660 owner=${cfg.user} group=${cfg.group}"
+        ]'';
         description = ''
           List of sockets to listen, in format acceptable by rspamd
         '';