Fachschaft/nixConfig
5
2
Fork 2
Code Issues 7 Pull requests 1 Projects 1 Wiki Activity

lobon (Mailman-VM) #30

Merged
Gonne merged 5 commits from Gonne/nixConfig:lobon into main 2024-10-12 14:10:02 +00:00
Conversation 3 Commits 5 Files changed 7 +18
1 changed files with 18 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files
Showing only changes of commit 081b9a9d34 - Show all commits

18
nixos/modules/mailman.nix
View file

@ -93,7 +93,25 @@ in {
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";
User = "mailman"; User = "mailman";
NoNewPrivileges = true;
nerf commented 2024-04-04 14:01:17 +00:00
Outdated
Review
Copy link

can we set NoNewPrivileges = true;? or does it break the service?

And one could read the Sandboxing part of systemd.exec(5)

can we set `NoNewPrivileges = true;`? or does it break the service? And one could read the Sandboxing part of `systemd.exec(5)`
Gonne commented 2024-04-04 15:19:15 +00:00
Outdated
Review
Copy link

Yes, I added a bunch of them in f334e00d01 that seemed reasonable and don't break the updater. Notably, I left out ExecPaths= and NoExecPaths= because the correct values are unclear to me.

Yes, I added a bunch of them in f334e00d01 that seemed reasonable and don't break the updater. Notably, I left out `ExecPaths=` and `NoExecPaths=` because the correct values are unclear to me.
# See https://www.man7.org/linux/man-pages/man5/systemd.exec.5.html
PrivateTmp = true; PrivateTmp = true;
ProtectHome = true;
ReadOnlyPaths = "/";
ReadWritePaths = "/tmp";
InaccessiblePaths = "-/lost+found";
PrivateDevices = true;
PrivateUsers = true;
ProtectHostname = true;
ProtectClock = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
LockPersonality = true;
MemoryDenyWriteExecute = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
}; };
}; };
nerf marked this conversation as resolved Outdated
nerf commented 2024-04-04 14:42:26 +00:00
Outdated
Review
Copy link

This is probably a bigger refactoring pull request and outside the scope of this one.
We could think making it easier configurable that backups are made by a user that can
basically read everything but not write.

This is probably a bigger refactoring pull request and outside the scope of this one. We could think making it easier configurable that backups are made by a user that can basically read everything but not write.
👍 1