diff options
author | markuskowa <markus.kowalewski@gmail.com> | 2018-06-09 00:50:28 +0200 |
---|---|---|
committer | xeji <36407913+xeji@users.noreply.github.com> | 2018-06-09 00:50:28 +0200 |
commit | 96af022af5d587dc3de21334c24760df8117bc26 (patch) | |
tree | 00dfaec8d7603c91d3d7e4a92b394347a6ace12c | |
parent | b22c1b79943c24bb71859ac29194877a471a5160 (diff) | |
download | nixpkgs-96af022af5d587dc3de21334c24760df8117bc26.tar nixpkgs-96af022af5d587dc3de21334c24760df8117bc26.tar.gz nixpkgs-96af022af5d587dc3de21334c24760df8117bc26.tar.bz2 nixpkgs-96af022af5d587dc3de21334c24760df8117bc26.tar.lz nixpkgs-96af022af5d587dc3de21334c24760df8117bc26.tar.xz nixpkgs-96af022af5d587dc3de21334c24760df8117bc26.tar.zst nixpkgs-96af022af5d587dc3de21334c24760df8117bc26.zip |
nixos/munge: run munge as user munge instead of root. (#41509)
* Added a note in release notes (incompatibilities) * Adapt slurm test * Change user to munge in service.munge
-rw-r--r-- | nixos/doc/manual/release-notes/rl-1809.xml | 6 | ||||
-rw-r--r-- | nixos/modules/services/security/munge.nix | 16 | ||||
-rw-r--r-- | nixos/tests/slurm.nix | 1 |
3 files changed, 22 insertions, 1 deletions
diff --git a/nixos/doc/manual/release-notes/rl-1809.xml b/nixos/doc/manual/release-notes/rl-1809.xml index ae0f35046ff..5799354c6e9 100644 --- a/nixos/doc/manual/release-notes/rl-1809.xml +++ b/nixos/doc/manual/release-notes/rl-1809.xml @@ -121,6 +121,12 @@ $ nix-instantiate -E '(import <nixpkgsunstable> {}).gitFull' <literal>gnucash24</literal>. </para> </listitem> + <listitem> + <para> + <varname>services.munge</varname> now runs as user (and group) <literal>munge</literal> instead of root. + Make sure the key file is accessible to the daemon. + </para> + </listitem> </itemizedlist> </section> diff --git a/nixos/modules/services/security/munge.nix b/nixos/modules/services/security/munge.nix index 919c2c2b0e1..5bca1583354 100644 --- a/nixos/modules/services/security/munge.nix +++ b/nixos/modules/services/security/munge.nix @@ -35,7 +35,15 @@ in environment.systemPackages = [ pkgs.munge ]; - systemd.services.munged = { + users.users.munge = { + description = "Munge daemon user"; + isSystemUser = true; + group = "munge"; + }; + + users.groups.munge = {}; + + systemd.services.munged = { wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; @@ -44,14 +52,20 @@ in preStart = '' chmod 0700 ${cfg.password} mkdir -p /var/lib/munge -m 0711 + chown -R munge:munge /var/lib/munge mkdir -p /var/log/munge -m 0700 + chown -R munge:munge /var/log/munge mkdir -p /run/munge -m 0755 + chown -R munge:munge /run/munge ''; serviceConfig = { ExecStart = "${pkgs.munge}/bin/munged --syslog --key-file ${cfg.password}"; PIDFile = "/run/munge/munged.pid"; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + PermissionsStartOnly = "true"; + User = "munge"; + Group = "munge"; }; }; diff --git a/nixos/tests/slurm.nix b/nixos/tests/slurm.nix index c23d85e4002..ec67ea09287 100644 --- a/nixos/tests/slurm.nix +++ b/nixos/tests/slurm.nix @@ -61,6 +61,7 @@ in { $node->succeed("mkdir /etc/munge"); $node->succeed("echo '${mungekey}' > /etc/munge/munge.key"); $node->succeed("chmod 0400 /etc/munge/munge.key"); + $node->succeed("chown munge:munge /etc/munge/munge.key"); $node->succeed("systemctl restart munged"); } |