diff options
| author | Lucas Savva <lucas@m1cr0man.com> | 2020-10-22 14:04:31 +0100 |
|---|---|---|
| committer | Lucas Savva <lucas@m1cr0man.com> | 2020-10-22 14:04:31 +0100 |
| commit | 89d134b3fdcbc4412f5d7cc4e391747b3f578b32 (patch) | |
| tree | 9192f475e006c677ad9bcf613572f571fac16a81 /nixos/modules/security/acme.nix | |
| parent | d2b8b928655f1b5e80985e49555aef70818a9bdf (diff) | |
| download | nixpkgs-89d134b3fdcbc4412f5d7cc4e391747b3f578b32.tar nixpkgs-89d134b3fdcbc4412f5d7cc4e391747b3f578b32.tar.gz nixpkgs-89d134b3fdcbc4412f5d7cc4e391747b3f578b32.tar.bz2 nixpkgs-89d134b3fdcbc4412f5d7cc4e391747b3f578b32.tar.lz nixpkgs-89d134b3fdcbc4412f5d7cc4e391747b3f578b32.tar.xz nixpkgs-89d134b3fdcbc4412f5d7cc4e391747b3f578b32.tar.zst nixpkgs-89d134b3fdcbc4412f5d7cc4e391747b3f578b32.zip | |
nixos/acme: Use more secure chmods
Previous settings would make files executable in the certs directories.
Diffstat (limited to 'nixos/modules/security/acme.nix')
| -rw-r--r-- | nixos/modules/security/acme.nix | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix index 5732620f290..47f6bead7c3 100644 --- a/nixos/modules/security/acme.nix +++ b/nixos/modules/security/acme.nix @@ -63,7 +63,7 @@ let script = with builtins; concatStringsSep "\n" (mapAttrsToList (cert: data: '' for fixpath in /var/lib/acme/${escapeShellArg cert} /var/lib/acme/.lego/${escapeShellArg cert}; do if [ -d "$fixpath" ]; then - chmod -R 750 "$fixpath" + chmod -R u=rwX,g=rX,o= "$fixpath" chown -R acme:${data.group} "$fixpath" fi done @@ -271,7 +271,7 @@ let mv domainhash.txt certificates/ chmod 640 certificates/* - chmod -R 700 accounts/* + chmod -R u=rwX,g=,o= accounts/* # Group might change between runs, re-apply it chown 'acme:${data.group}' certificates/* |