From 20f37a443089628fb7fd9d5f941bdabbdd4fecc2 Mon Sep 17 00:00:00 2001 From: Aaron Andersen Date: Sat, 11 Apr 2020 19:58:24 -0400 Subject: [PATCH 1/4] nixos/httpd: run as non root user --- .../services/web-servers/apache-httpd/default.nix | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/nixos/modules/services/web-servers/apache-httpd/default.nix b/nixos/modules/services/web-servers/apache-httpd/default.nix index 832c8b30ee9d..1094ed93e68c 100644 --- a/nixos/modules/services/web-servers/apache-httpd/default.nix +++ b/nixos/modules/services/web-servers/apache-httpd/default.nix @@ -453,7 +453,13 @@ in type = types.str; default = "wwwrun"; description = '' - User account under which httpd runs. + User account under which httpd children processes run. + + If you require the main httpd process to run as + root add the following configuration: + + systemd.services.httpd.serviceConfig.User = lib.mkForce "root"; + ''; }; @@ -461,7 +467,7 @@ in type = types.str; default = "wwwrun"; description = '' - Group under which httpd runs. + Group under which httpd children processes run. ''; }; @@ -724,7 +730,7 @@ in ExecStart = "@${pkg}/bin/httpd httpd -f ${httpdConf}"; ExecStop = "${pkg}/bin/httpd -f ${httpdConf} -k graceful-stop"; ExecReload = "${pkg}/bin/httpd -f ${httpdConf} -k graceful"; - User = "root"; + User = cfg.user; Group = cfg.group; Type = "forking"; PIDFile = "${runtimeDir}/httpd.pid"; @@ -732,6 +738,7 @@ in RestartSec = "5s"; RuntimeDirectory = "httpd httpd/runtime"; RuntimeDirectoryMode = "0750"; + AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; }; }; From ee030b121b3e963c753968f34678a89c4f2f006c Mon Sep 17 00:00:00 2001 From: Aaron Andersen Date: Sat, 11 Apr 2020 20:03:33 -0400 Subject: [PATCH 2/4] nixos/httpd: set modern default values for mpm and http2 --- .../web-servers/apache-httpd/default.nix | 24 +++++++++---------- .../apache-httpd/vhost-options.nix | 2 +- 2 files changed, 13 insertions(+), 13 deletions(-) diff --git a/nixos/modules/services/web-servers/apache-httpd/default.nix b/nixos/modules/services/web-servers/apache-httpd/default.nix index 1094ed93e68c..0ab7942e46b5 100644 --- a/nixos/modules/services/web-servers/apache-httpd/default.nix +++ b/nixos/modules/services/web-servers/apache-httpd/default.nix @@ -41,9 +41,9 @@ let "mime" "autoindex" "negotiation" "dir" "alias" "rewrite" "unixd" "slotmem_shm" "socache_shmcb" - "mpm_${cfg.multiProcessingModule}" + "mpm_${cfg.mpm}" ] - ++ (if cfg.multiProcessingModule == "prefork" then [ "cgi" ] else [ "cgid" ]) + ++ (if cfg.mpm == "prefork" then [ "cgi" ] else [ "cgid" ]) ++ optional enableHttp2 "http2" ++ optional enableSSL "ssl" ++ optional enableUserDir "userdir" @@ -264,7 +264,7 @@ let PidFile ${runtimeDir}/httpd.pid - ${optionalString (cfg.multiProcessingModule != "prefork") '' + ${optionalString (cfg.mpm != "prefork") '' # mod_cgid requires this. ScriptSock ${runtimeDir}/cgisock ''} @@ -349,6 +349,7 @@ in imports = [ (mkRemovedOptionModule [ "services" "httpd" "extraSubservices" ] "Most existing subservices have been ported to the NixOS module system. Please update your configuration accordingly.") (mkRemovedOptionModule [ "services" "httpd" "stateDir" ] "The httpd module now uses /run/httpd as a runtime directory.") + (mkRenamedOptionModule [ "services" "httpd" "multiProcessingModule" ] [ "services" "httpd" "mpm" ]) # virtualHosts options (mkRemovedOptionModule [ "services" "httpd" "documentRoot" ] "Please define a virtual host using `services.httpd.virtualHosts`.") @@ -544,20 +545,19 @@ in ''; }; - multiProcessingModule = mkOption { + mpm = mkOption { type = types.enum [ "event" "prefork" "worker" ]; - default = "prefork"; + default = "event"; example = "worker"; description = '' Multi-processing module to be used by Apache. Available - modules are prefork (the default; - handles each request in a separate child process), - worker (hybrid approach that starts a - number of child processes each running a number of - threads) and event (a recent variant of - worker that handles persistent - connections more efficiently). + modules are prefork (handles each + request in a separate child process), worker + (hybrid approach that starts a number of child processes + each running a number of threads) and event + (the default; a recent variant of worker + that handles persistent connections more efficiently). ''; }; diff --git a/nixos/modules/services/web-servers/apache-httpd/vhost-options.nix b/nixos/modules/services/web-servers/apache-httpd/vhost-options.nix index 2e806afb42c5..173c0f8561c0 100644 --- a/nixos/modules/services/web-servers/apache-httpd/vhost-options.nix +++ b/nixos/modules/services/web-servers/apache-httpd/vhost-options.nix @@ -137,7 +137,7 @@ in http2 = mkOption { type = types.bool; - default = false; + default = true; description = '' Whether to enable HTTP 2. HTTP/2 is supported in all multi-processing modules that come with httpd. However, if you use the prefork mpm, there will be severe restrictions. Refer to for details. From d0de9702795d33d6c3c72ea663256b9a743435e1 Mon Sep 17 00:00:00 2001 From: Aaron Andersen Date: Sat, 11 Apr 2020 20:06:24 -0400 Subject: [PATCH 3/4] nixos/httpd: some mod_php cleanup --- nixos/modules/services/web-servers/apache-httpd/default.nix | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/nixos/modules/services/web-servers/apache-httpd/default.nix b/nixos/modules/services/web-servers/apache-httpd/default.nix index 0ab7942e46b5..6f37974fde1b 100644 --- a/nixos/modules/services/web-servers/apache-httpd/default.nix +++ b/nixos/modules/services/web-servers/apache-httpd/default.nix @@ -657,7 +657,7 @@ in services.httpd.phpOptions = '' ; Needed for PHP's mail() function. - sendmail_path = sendmail -t -i + sendmail_path = ${pkgs.system-sendmail}/bin/sendmail -t -i ; Don't advertise PHP expose_php = off @@ -708,9 +708,7 @@ in wants = concatLists (map (hostOpts: [ "acme-${hostOpts.hostName}.service" "acme-selfsigned-${hostOpts.hostName}.service" ]) vhostsACME); after = [ "network.target" "fs.target" ] ++ map (hostOpts: "acme-selfsigned-${hostOpts.hostName}.service") vhostsACME; - path = - [ pkg pkgs.coreutils pkgs.gnugrep ] - ++ optional cfg.enablePHP pkgs.system-sendmail; # Needed for PHP's mail() function. + path = [ pkg pkgs.coreutils pkgs.gnugrep ]; environment = optionalAttrs cfg.enablePHP { PHPRC = phpIni; } From 7bc9f24fb646f7b538f84e829427c8d16272e9d8 Mon Sep 17 00:00:00 2001 From: Aaron Andersen Date: Sat, 11 Apr 2020 20:47:24 -0400 Subject: [PATCH 4/4] nixos/httpd: update release notes --- nixos/doc/manual/release-notes/rl-2009.xml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/nixos/doc/manual/release-notes/rl-2009.xml b/nixos/doc/manual/release-notes/rl-2009.xml index 3e29c19af8fb..40b5ca240aa6 100644 --- a/nixos/doc/manual/release-notes/rl-2009.xml +++ b/nixos/doc/manual/release-notes/rl-2009.xml @@ -261,6 +261,25 @@ environment.systemPackages = [ + + + The httpd web server previously started its main process as root + privileged, then ran worker processes as a less privileged identity user. + This was changed to start all of httpd as a less privileged user (defined by + and + ). As a consequence, all files that + are needed for httpd to run (included configuration fragments, SSL + certificates and keys, etc.) must now be readable by this less privileged + user/group. + + + The default value for + has been changed from prefork to event. Along with + this change the default value for + services.httpd.virtualHosts.<name>.http2 + has been set to true. + +