rmilter/rspamd service: tighten unix socket permissions

2017-03-17 23:01:24 +01:00 · 2017-03-17 23:01:24 +01:00 · 00239ce8e9
commit 00239ce8e9
parent 8ab2d2ee27
2 changed files with 12 additions and 6 deletions
--- a/nixos/modules/services/mail/rmilter.nix
+++ b/nixos/modules/services/mail/rmilter.nix
@ -5,6 +5,7 @@ with lib;
 let
  rspamdCfg = config.services.rspamd;
  postfixCfg = config.services.postfix;
  cfg = config.services.rmilter;
  inetSocket = addr: port: "inet:[${toString port}@${addr}]";
@ -219,7 +220,7 @@ in
          PermissionsStartOnly = true;
          Restart = "always";
          RuntimeDirectory = "rmilter";
-          RuntimeDirectoryMode = "0755";
+          RuntimeDirectoryMode = "0750";
        };
      };
@ -231,16 +232,18 @@ in
          ListenStream = systemdSocket;
          SocketUser = cfg.user;
          SocketGroup = cfg.group;
-          SocketMode = "0666";
+          SocketMode = "0660";
        };
      };
    })
    (mkIf (cfg.enable && cfg.rspamd.enable && rspamdCfg.enable) {
      users.extraUsers.${cfg.user}.extraGroups = [ rspamdCfg.group ];
    })
    (mkIf (cfg.enable && cfg.postfix.enable) {
      services.postfix.extraConfig = cfg.postfix.configFragment;
-      users.users.postfix.extraGroups = [ cfg.group ];
+      users.extraUsers.${postfixCfg.user}.extraGroups = [ cfg.group ];
    })
  ];
 }
--- a/nixos/modules/services/mail/rspamd.nix
+++ b/nixos/modules/services/mail/rspamd.nix
@ -53,8 +53,11 @@ in
      bindSocket = mkOption {
        type = types.listOf types.str;
        default = [
-          "/run/rspamd/rspamd.sock mode=0666 owner=${cfg.user}"
+          "/run/rspamd/rspamd.sock mode=0660 owner=${cfg.user} group=${cfg.group}"
        ];
        defaultText = ''[
          "/run/rspamd/rspamd.sock mode=0660 owner=${cfg.user} group=${cfg.group}"
        ]'';
        description = ''
          List of sockets to listen, in format acceptable by rspamd
        '';