From 7e7392b8ad8fcfe15334109a1ccf15b73ed5d779 Mon Sep 17 00:00:00 2001 From: Rob Vermaas Date: Thu, 25 Jul 2013 15:48:00 +0200 Subject: [PATCH] Limit the location where fail2ban service can write to (only /var/run/fail2ban). --- modules/services/security/fail2ban.nix | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/modules/services/security/fail2ban.nix b/modules/services/security/fail2ban.nix index d90cf8d4471..258a2d79163 100644 --- a/modules/services/security/fail2ban.nix +++ b/modules/services/security/fail2ban.nix @@ -114,7 +114,11 @@ in mkdir -p /var/run/fail2ban -m 0755 ''; - serviceConfig.ExecStart = "${pkgs.fail2ban}/bin/fail2ban-server -f"; + serviceConfig = + { ExecStart = "${pkgs.fail2ban}/bin/fail2ban-server -f"; + ReadOnlyDirectories = "/"; + ReadWriteDirectories = "/var/run/fail2ban"; + }; postStart = ''