Merge pull request #61729 from worldofpeace/geoclue/no-root

nixos/geoclue2: don't run as root

2 files changed, 14 insertions, 0 deletions

diff --git a/nixos/modules/services/desktops/geoclue2.nix b/nixos/modules/services/desktops/geoclue2.nix
index a16dbc04a5f..040fe157d52 100644
--- a/nixos/modules/services/desktops/geoclue2.nix
+++ b/nixos/modules/services/desktops/geoclue2.nix
@@ -188,6 +188,19 @@ in
 
     systemd.packages = [ package ];
 
+    users.users.geoclue = {
+      isSystemUser = true;
+      home = "/var/lib/geoclue";
+      group = "geoclue";
+      description = "Geoinformation service";
+    };
+
+    users.groups.geoclue = {};
+
+    systemd.tmpfiles.rules = [
+      "d /var/lib/geoclue 0755 geoclue geoclue"
+    ];
+
     # restart geoclue service when the configuration changes
     systemd.services."geoclue".restartTriggers = [
       config.environment.etc."geoclue/geoclue.conf".source
diff --git a/pkgs/development/libraries/geoclue/default.nix b/pkgs/development/libraries/geoclue/default.nix
index 70319c9151f..6a44f01d011 100644
--- a/pkgs/development/libraries/geoclue/default.nix
+++ b/pkgs/development/libraries/geoclue/default.nix
@@ -42,6 +42,7 @@ stdenv.mkDerivation rec {
     "-Ddemo-agent=${if withDemoAgent then "true" else "false"}"
     "--sysconfdir=/etc"
     "-Dsysconfdir_install=${placeholder "out"}/etc"
+    "-Ddbus-srv-user=geoclue"
   ] ++ optionals stdenv.isDarwin [
     "-D3g-source=false"
     "-Dcdma-source=false"