Skip to content

Commit

Permalink
nixos/exim: apply privilege restrictions
Browse files Browse the repository at this point in the history 
Since 816614b, the service is set to use the exim user so that
systemd takes care of the credentials ownership. The executable is
still required to run as root, to then drop privileges. The prefix '+'
that was used however interfers with the use of privilege restrictions
and other sandboxing options. Since we only want to escape the "User"
setting, we can use the '!' prefix instead.

(cherry picked from commit 54be076)
  • Loading branch information
@pacien @github-actions
pacien authored and github-actions[bot] committed Jun 6, 2023
1 parent a558f7a commit 8ebdbef
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions nixos/modules/services/mail/exim.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -116,8 +116,8 @@ in
wantedBy = [ "multi-user.target" ];
restartTriggers = [ config.environment.etc."exim.conf".source ];
serviceConfig = {
ExecStart = "+${cfg.package}/bin/exim -bdf -q${cfg.queueRunnerInterval}";
ExecReload = "+${coreutils}/bin/kill -HUP $MAINPID";
ExecStart = "!${cfg.package}/bin/exim -bdf -q${cfg.queueRunnerInterval}";
ExecReload = "!${coreutils}/bin/kill -HUP $MAINPID";
User = cfg.user;
};
preStart = ''
Expand Down

0 comments on commit 8ebdbef

Please sign in to comment.