pyrox.dev / nixpkgs
lol
fork atom

nixos/vdirsyncer: only use ProtectHome=yes with DynamicUser=yes

If a user is given it seems likely that their home directory is accessed.

schnusch bc72dc08 cd06d2dd

options
unified split
Changed files
+1 -8
nixos
modules
services
networking
vdirsyncer.nix
tests
vdirsyncer.nix
+1 -1
nixos/modules/services/networking/vdirsyncer.nix 
···

       
45

       
 

       
      }


     

       
46

       
 

       
      // (optionalAttrs (cfg'.user == null) {


     

       
47

       
 

       
        DynamicUser = true;


     

       

       

       
     

       
48

       
 

       
      })


     

       
49

       
 

       
      // (optionalAttrs (cfg'.additionalGroups != [ ]) {


     

       
50

       
 

       
        SupplementaryGroups = cfg'.additionalGroups;


     
···

       
63

       
 

       
      PrivateTmp = true;


     

       
64

       
 

       
      NoNewPrivileges = true;


     

       
65

       
 

       
      ProtectSystem = "strict";


     

       
66

       
-

       
      ProtectHome = true;


     

       
67

       
 

       
      ProtectKernelTunables = true;


     

       
68

       
 

       
      ProtectKernelModules = true;


     

       
69

       
 

       
      ProtectControlGroups = true;


     
···

       
45

       
 

       
      }


     

       
46

       
 

       
      // (optionalAttrs (cfg'.user == null) {


     

       
47

       
 

       
        DynamicUser = true;


     

       
48

       
+

       
        ProtectHome = true;


     

       
49

       
 

       
      })


     

       
50

       
 

       
      // (optionalAttrs (cfg'.additionalGroups != [ ]) {


     

       
51

       
 

       
        SupplementaryGroups = cfg'.additionalGroups;


     
···

       
64

       
 

       
      PrivateTmp = true;


     

       
65

       
 

       
      NoNewPrivileges = true;


     

       
66

       
 

       
      ProtectSystem = "strict";


     

       

       

       
     

       
67

       
 

       
      ProtectKernelTunables = true;


     

       
68

       
 

       
      ProtectKernelModules = true;


     

       
69

       
 

       
      ProtectControlGroups = true;
-7
nixos/tests/vdirsyncer.nix 
···

       
217

       
 

       
          };


     

       
218

       
 

       
        };


     

       
219

       
 

       



     

       
220

       
-

       
        # ProtectHome is the default, but we must access our storage


     

       
221

       
-

       
        # in ~.


     

       
222

       
-

       
        systemd.services = {


     

       
223

       
-

       
          "vdirsyncer@alice".serviceConfig.ProtectHome = lib.mkForce false;


     

       
224

       
-

       
          "vdirsyncer@bob".serviceConfig.ProtectHome = lib.mkForce false;


     

       
225

       
-

       
        };


     

       
226

       
-

       



     

       
227

       
 

       
        users.users = {


     

       
228

       
 

       
          alice.isNormalUser = true;


     

       
229

       
 

       
          bob.isNormalUser = true;


     
···

       
217

       
 

       
          };


     

       
218

       
 

       
        };


     

       
219

       
 

       



     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
220

       
 

       
        users.users = {


     

       
221

       
 

       
          alice.isNormalUser = true;


     

       
222

       
 

       
          bob.isNormalUser = true;