public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Use a dedicated user ('named') for BIND instead of running the daemon as super user.

Browse Source
This commit is contained in:
Peter Simons 2012-07-27 00:07:25 +02:00
parent 87ae768665
commit e988324534
2 changed files with 11 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
modules/misc/ids.nix
View File

@ -71,6 +71,7 @@ in
mpd = 50; mpd = 50;
clamav = 51; clamav = 51;
fprot = 52; fprot = 52;
bind = 53;
# When adding a uid, make sure it doesn't match an existing gid. # When adding a uid, make sure it doesn't match an existing gid.

11
modules/services/networking/bind.nix
View File

@ -6,6 +6,8 @@ let
cfg = config.services.bind; cfg = config.services.bind;
bindUser = "named";
confFile = pkgs.writeText "named.conf" confFile = pkgs.writeText "named.conf"
'' ''
acl cachenetworks { ${concatMapStrings (entry: " ${entry}; ") cfg.cacheNetworks} }; acl cachenetworks { ${concatMapStrings (entry: " ${entry}; ") cfg.cacheNetworks} };
@ -118,6 +120,12 @@ in
config = mkIf config.services.bind.enable { config = mkIf config.services.bind.enable {
users.extraUsers = singleton
{ name = bindUser;
uid = config.ids.uids.bind;
description = "BIND daemon user";
};
jobs.bind = jobs.bind =
{ description = "BIND name server job"; { description = "BIND name server job";
@ -126,9 +134,10 @@ in
preStart = preStart =
'' ''
${pkgs.coreutils}/bin/mkdir -p /var/run/named ${pkgs.coreutils}/bin/mkdir -p /var/run/named
chown ${bindUser} /var/run/named
''; '';
exec = "${pkgs.bind}/sbin/named ${optionalString cfg.ipv4Only "-4"} -c ${cfg.configFile} -f"; exec = "${pkgs.bind}/sbin/named -u ${bindUser} ${optionalString cfg.ipv4Only "-4"} -c ${cfg.configFile} -f";
}; };
}; };