public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos/acme: Use more secure chmods

Browse Source 
Previous settings would make files executable in
the certs directories.
This commit is contained in:
Lucas Savva 2020-10-22 14:04:31 +01:00
parent d2b8b92865
commit 89d134b3fd
No known key found for this signature in database
GPG Key ID: F9CE6D3DCDC78F2D
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
nixos/modules/security/acme.nix
View File

@ -63,7 +63,7 @@ let
script = with builtins; concatStringsSep "\n" (mapAttrsToList (cert: data: '' script = with builtins; concatStringsSep "\n" (mapAttrsToList (cert: data: ''
for fixpath in /var/lib/acme/${escapeShellArg cert} /var/lib/acme/.lego/${escapeShellArg cert}; do for fixpath in /var/lib/acme/${escapeShellArg cert} /var/lib/acme/.lego/${escapeShellArg cert}; do
if [ -d "$fixpath" ]; then if [ -d "$fixpath" ]; then
chmod -R 750 "$fixpath" chmod -R u=rwX,g=rX,o= "$fixpath"
chown -R acme:${data.group} "$fixpath" chown -R acme:${data.group} "$fixpath"
fi fi
done done
@ -271,7 +271,7 @@ let
mv domainhash.txt certificates/ mv domainhash.txt certificates/
chmod 640 certificates/* chmod 640 certificates/*
chmod -R 700 accounts/* chmod -R u=rwX,g=,o= accounts/*
# Group might change between runs, re-apply it # Group might change between runs, re-apply it
chown 'acme:${data.group}' certificates/* chown 'acme:${data.group}' certificates/*