From 20f37a443089628fb7fd9d5f941bdabbdd4fecc2 Mon Sep 17 00:00:00 2001 From: Aaron Andersen Date: Sat, 11 Apr 2020 19:58:24 -0400 Subject: [PATCH] nixos/httpd: run as non root user --- .../services/web-servers/apache-httpd/default.nix | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/nixos/modules/services/web-servers/apache-httpd/default.nix b/nixos/modules/services/web-servers/apache-httpd/default.nix index 832c8b30ee9d..1094ed93e68c 100644 --- a/nixos/modules/services/web-servers/apache-httpd/default.nix +++ b/nixos/modules/services/web-servers/apache-httpd/default.nix @@ -453,7 +453,13 @@ in type = types.str; default = "wwwrun"; description = '' - User account under which httpd runs. + User account under which httpd children processes run. + + If you require the main httpd process to run as + root add the following configuration: + + systemd.services.httpd.serviceConfig.User = lib.mkForce "root"; + ''; }; @@ -461,7 +467,7 @@ in type = types.str; default = "wwwrun"; description = '' - Group under which httpd runs. + Group under which httpd children processes run. ''; }; @@ -724,7 +730,7 @@ in ExecStart = "@${pkg}/bin/httpd httpd -f ${httpdConf}"; ExecStop = "${pkg}/bin/httpd -f ${httpdConf} -k graceful-stop"; ExecReload = "${pkg}/bin/httpd -f ${httpdConf} -k graceful"; - User = "root"; + User = cfg.user; Group = cfg.group; Type = "forking"; PIDFile = "${runtimeDir}/httpd.pid"; @@ -732,6 +738,7 @@ in RestartSec = "5s"; RuntimeDirectory = "httpd httpd/runtime"; RuntimeDirectoryMode = "0750"; + AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; }; };