diff options
author | Michele Guerini Rocco <rnhmjoj@users.noreply.github.com> | 2022-01-31 10:06:57 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-01-31 10:06:57 +0100 |
commit | 09e29560121f00cc238a4ea4960e3a9d74e68afe (patch) | |
tree | 0cc57a81fb7b8dd373a143de57a285e4541b4d7b /nixos/doc/manual/from_md/release-notes/rl-2205.section.xml | |
parent | b48539da9a48b66f6bbb0c668b81e0b55f602416 (diff) | |
parent | 79b4b7eaa1a00424cbf63305516e92c8dd055c94 (diff) | |
download | nixpkgs-09e29560121f00cc238a4ea4960e3a9d74e68afe.tar nixpkgs-09e29560121f00cc238a4ea4960e3a9d74e68afe.tar.gz nixpkgs-09e29560121f00cc238a4ea4960e3a9d74e68afe.tar.bz2 nixpkgs-09e29560121f00cc238a4ea4960e3a9d74e68afe.tar.lz nixpkgs-09e29560121f00cc238a4ea4960e3a9d74e68afe.tar.xz nixpkgs-09e29560121f00cc238a4ea4960e3a9d74e68afe.tar.zst nixpkgs-09e29560121f00cc238a4ea4960e3a9d74e68afe.zip |
Merge pull request #155895 from rnhmjoj/pr-dhcpd-hard
nixos/dhcpd: switch to DynamicUser [v2]
Diffstat (limited to 'nixos/doc/manual/from_md/release-notes/rl-2205.section.xml')
-rw-r--r-- | nixos/doc/manual/from_md/release-notes/rl-2205.section.xml | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml index 41a84ed0221..1811c5ec561 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -237,6 +237,23 @@ </listitem> <listitem> <para> + The DHCP server (<literal>services.dhcpd4</literal>, + <literal>services.dhcpd6</literal>) has been hardened. The + service is now using the systemd’s + <literal>DynamicUser</literal> mechanism to run as an + unprivileged dynamically-allocated user with limited + capabilities. The dhcpd state files are now always stored in + <literal>/var/lib/dhcpd{4,6}</literal> and the + <literal>services.dhcpd4.stateDir</literal> and + <literal>service.dhcpd6.stateDir</literal> options have been + removed. If you were depending on root privileges or + set{uid,gid,cap} binaries in dhcpd shell hooks, you may give + dhcpd more capabilities with e.g. + <literal>systemd.services.dhcpd6.serviceConfig.AmbientCapabilities</literal>. + </para> + </listitem> + <listitem> + <para> The <literal>mailpile</literal> email webclient (<literal>services.mailpile</literal>) has been removed due to its reliance on python2. |