From 0ef085d58a8307bfe6ba5a108a063a9e41a2549d Mon Sep 17 00:00:00 2001 From: Peter Simons Date: Fri, 27 Jul 2012 00:38:19 +0200 Subject: [PATCH] Add services.httpd.fixUidAndGid option to assign reliable numeric UID and GID for the Apache user. The option is disabled by default so that previously existing installations aren't affected. If you'd like to migrate to the fixed numeric id for Apache, set "fixUidAndGid = true", edit the file "/etc/groups" and replace the old GID value with 54. (NixOS can't do that for you because it refuses to change a GID that identifies the primary group of a user.) Then run find / -xdev -uid $oldUID -exec chown 54 {} + find / -xdev -gid $oldGID -exec chgrp 54 {} + to update ownership of all files that are supposed to be owned by Apache. --- modules/misc/ids.nix | 4 ++++ .../web-servers/apache-httpd/default.nix | 24 ++++++++++++++----- 2 files changed, 22 insertions(+), 6 deletions(-) diff --git a/modules/misc/ids.nix b/modules/misc/ids.nix index 13ebf954f32..eb78b32f542 100644 --- a/modules/misc/ids.nix +++ b/modules/misc/ids.nix @@ -72,6 +72,7 @@ in clamav = 51; fprot = 52; bind = 53; + wwwrun = 54; # When adding a uid, make sure it doesn't match an existing gid. @@ -123,6 +124,9 @@ in mpd = 50; clamav = 51; fprot = 52; + # Group id 53 is still free! I didn't use it, because I wanted the + # the same numeric value for the 'wwwrun' user and group. + wwwrun = 54; # When adding a gid, make sure it doesn't match an existing uid. diff --git a/modules/services/web-servers/apache-httpd/default.nix b/modules/services/web-servers/apache-httpd/default.nix index 90c0adee2a7..248c013bf38 100644 --- a/modules/services/web-servers/apache-httpd/default.nix +++ b/modules/services/web-servers/apache-httpd/default.nix @@ -407,7 +407,7 @@ in package = mkOption { default = pkgs.apacheHttpd.override { mpm = mainCfg.multiProcessingModule; }; - example = "pkgs.apacheHttpd_2_4"; + example = "pkgs.apacheHttpd_2_4"; description = " Overridable attribute of the Apache HTTP Server package to use. "; @@ -415,7 +415,7 @@ in configFile = mkOption { default = confFile; - example = ''pkgs.writeText "httpd.conf" "# my custom config file ...";''; + example = ''pkgs.writeText "httpd.conf" "# my custom config file ...";''; description = " Overridable config file to use for Apache. By default, use the file automatically generated by nixos. @@ -469,6 +469,18 @@ in "; }; + fixUidAndGid = mkOption { + default = false; + description = " + Use a fixed numeric ID (54) for the wwwrun user + and group. This setting is disabled by default for the sake of + backwards compatibility: we don't want to break pre-existing + installations that alrady have a user/group for Apache with different + values for that ID. If you're installing a fresh server, however, + choosing the fixed numeric values for those IDs is safe. + "; + }; + logDir = mkOption { default = "/var/log/httpd"; description = " @@ -558,14 +570,14 @@ in config = mkIf config.services.httpd.enable { users.extraUsers = optionalAttrs (mainCfg.user == "wwwrun") singleton - { name = "wwwrun"; + ({ name = "wwwrun"; group = "wwwrun"; description = "Apache httpd user"; - }; + } // (if mainCfg.fixUidAndGid then { uid = config.ids.uids.wwwrun; } else {})); users.extraGroups = optionalAttrs (mainCfg.group == "wwwrun") singleton - { name = "wwwrun"; - }; + ({ name = "wwwrun"; + } // (if mainCfg.fixUidAndGid then { gid = config.ids.gids.wwwrun; } else {})); environment.systemPackages = [httpd] ++ concatMap (svc: svc.extraPath) allSubservices;