Merge pull request #21 from peti/assign-fixed-uid-and-gid-for-httpd-service

(Optionally) assign fixed a UID and GID for the user dedicated to running Apache.
2012-08-03 07:41:47 -07:00 · 2012-08-03 07:41:47 -07:00 · 514a26af13
parent 29f721ba54 0ef085d58a
commit 514a26af13
2 changed files with 22 additions and 6 deletions
--- a/modules/misc/ids.nix
+++ b/modules/misc/ids.nix
@ -72,6 +72,7 @@ in
    clamav = 51;
    fprot = 52;
    bind = 53;
+    wwwrun = 54;

    # When adding a uid, make sure it doesn't match an existing gid.

@ -123,6 +124,9 @@ in
    mpd = 50;
    clamav = 51;
    fprot = 52;
+    # Group id 53 is still free! I didn't use it, because I wanted the
+    # the same numeric value for the 'wwwrun' user and group.
+    wwwrun = 54;

    # When adding a gid, make sure it doesn't match an existing uid.

--- a/modules/services/web-servers/apache-httpd/default.nix
+++ b/modules/services/web-servers/apache-httpd/default.nix
@ -407,7 +407,7 @@ in

      package = mkOption {
        default = pkgs.apacheHttpd.override { mpm = mainCfg.multiProcessingModule; };
-	example = "pkgs.apacheHttpd_2_4";
+        example = "pkgs.apacheHttpd_2_4";
        description = "
          Overridable attribute of the Apache HTTP Server package to use.
        ";
@ -415,7 +415,7 @@ in

      configFile = mkOption {
        default = confFile;
-	example = ''pkgs.writeText "httpd.conf" "# my custom config file ...";'';
+        example = ''pkgs.writeText "httpd.conf" "# my custom config file ...";'';
        description = "
          Overridable config file to use for Apache. By default, use the
          file automatically generated by nixos.
@ -469,6 +469,18 @@ in
        ";
      };

+      fixUidAndGid = mkOption {
+        default = false;
+        description = "
+          Use a fixed numeric ID (54) for the <varname>wwwrun</varname> user
+          and group. This setting is disabled by default for the sake of
+          backwards compatibility: we don't want to break pre-existing
+          installations that alrady have a user/group for Apache with different
+          values for that ID. If you're installing a fresh server, however,
+          choosing the fixed numeric values for those IDs is safe.
+        ";
+      };
+
      logDir = mkOption {
        default = "/var/log/httpd";
        description = "
@ -558,14 +570,14 @@ in
  config = mkIf config.services.httpd.enable {

    users.extraUsers = optionalAttrs (mainCfg.user == "wwwrun") singleton
-      { name = "wwwrun";
+      ({ name = "wwwrun";
        group = "wwwrun";
        description = "Apache httpd user";
-      };
+      } // (if mainCfg.fixUidAndGid then { uid = config.ids.uids.wwwrun; } else {}));

    users.extraGroups = optionalAttrs (mainCfg.group == "wwwrun") singleton
-      { name = "wwwrun";
-      };
+      ({ name = "wwwrun";
+      } // (if mainCfg.fixUidAndGid then { gid = config.ids.gids.wwwrun; } else {}));

    environment.systemPackages = [httpd] ++ concatMap (svc: svc.extraPath) allSubservices;