nixos/fcgiwrap: do not run as root by default

Use a dynamic user instead unless one is specified.
2024-06-08 23:07:33 +02:00 · 2024-06-08 23:07:33 +02:00 · 51b246a1ac
commit 51b246a1ac
parent c5dc3e2034
2 changed files with 10 additions and 3 deletions
--- a/nixos/doc/manual/release-notes/rl-2411.section.md
+++ b/nixos/doc/manual/release-notes/rl-2411.section.md
@ -51,6 +51,8 @@
  `services.fcgiwrap.*` to `services.fcgiwrap.some-instance.*`.
  The ownership and mode of the UNIX sockets created by this service are now
  configurable and private by default.
+  Processes also now run as a dynamically allocated user by default instead of
+  root.

 - `nvimpager` was updated to version 0.13.0, which changes the order of user and
  nvimpager settings: user commands in `-c` and `--cmd` now override the
--- a/nixos/modules/services/web-servers/fcgiwrap.nix
+++ b/nixos/modules/services/web-servers/fcgiwrap.nix
@ -21,7 +21,10 @@ in {
      process.user = mkOption {
        type = types.nullOr types.str;
        default = null;
-        description = "User as which this instance of fcgiwrap will be run.";
+        description = ''
+          User as which this instance of fcgiwrap will be run.
+          Set to `null` (the default) to use a dynamically allocated user.
+        '';
      };

      process.group = mkOption {
@ -106,10 +109,12 @@ in {
            s = "${cfg.socket.type}:${cfg.socket.address}";
          }))}
        '';
-      } // (if cfg.process.user != null && cfg.process.group != null then {
+      } // (if cfg.process.user != null then {
        User = cfg.process.user;
        Group = cfg.process.group;
-      } else { } );
+      } else {
+        DynamicUser = true;
+      });
    });

    systemd.sockets = forEachInstance (cfg: mkIf (cfg.socket.type == "unix") {