diff options
author | Lucas Savva <lucas@m1cr0man.com> | 2020-10-22 14:04:31 +0100 |
---|---|---|
committer | Lucas Savva <lucas@m1cr0man.com> | 2020-10-22 14:04:31 +0100 |
commit | 89d134b3fdcbc4412f5d7cc4e391747b3f578b32 (patch) | |
tree | 9192f475e006c677ad9bcf613572f571fac16a81 | |
parent | d2b8b928655f1b5e80985e49555aef70818a9bdf (diff) |
nixos/acme: Use more secure chmods
Previous settings would make files executable in
the certs directories.
-rw-r--r-- | nixos/modules/security/acme.nix | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix index 5732620f2908..47f6bead7c3e 100644 --- a/nixos/modules/security/acme.nix +++ b/nixos/modules/security/acme.nix @@ -63,7 +63,7 @@ let script = with builtins; concatStringsSep "\n" (mapAttrsToList (cert: data: '' for fixpath in /var/lib/acme/${escapeShellArg cert} /var/lib/acme/.lego/${escapeShellArg cert}; do if [ -d "$fixpath" ]; then - chmod -R 750 "$fixpath" + chmod -R u=rwX,g=rX,o= "$fixpath" chown -R acme:${data.group} "$fixpath" fi done @@ -271,7 +271,7 @@ let mv domainhash.txt certificates/ chmod 640 certificates/* - chmod -R 700 accounts/* + chmod -R u=rwX,g=,o= accounts/* # Group might change between runs, re-apply it chown 'acme:${data.group}' certificates/* |