From 8db7c14e5632cb139ecdb0eeceaabddc9f00d7a8 Mon Sep 17 00:00:00 2001 From: Thomas Strobel Date: Thu, 10 Sep 2015 18:04:04 +0200 Subject: [PATCH] namecoind nixos module: security enhancements --- nixos/modules/misc/ids.nix | 2 +- .../modules/services/networking/namecoind.nix | 24 ++++++++++++++++++- 2 files changed, 24 insertions(+), 2 deletions(-) diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index 8ee92f695b46..0d7b1c4f222f 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -437,7 +437,7 @@ riak = 205; #shout = 206; #unused gateone = 207; - #namecoin = 208; #unused + namecoin = 208; # When adding a gid, make sure it doesn't match an existing # uid. Users and groups with the same name should have equal diff --git a/nixos/modules/services/networking/namecoind.nix b/nixos/modules/services/networking/namecoind.nix index 4851abc47481..83fc1ec66679 100644 --- a/nixos/modules/services/networking/namecoind.nix +++ b/nixos/modules/services/networking/namecoind.nix @@ -45,7 +45,8 @@ in type = types.path; example = "/etc/namecoin/wallet.dat"; description = '' - Wallet file. + Wallet file. The ownership of the file has to be + namecoin:namecoin, and the permissions must be 0640. ''; }; @@ -61,6 +62,8 @@ in USER=namecoin PASSWORD=secret + The ownership of the file has to be namecoin:namecoin, + and the permissions must be 0640. ''; }; @@ -107,10 +110,29 @@ in createHome = true; }; + users.extraGroups = singleton + { name = "namecoin"; + gid = config.ids.gids.namecoin; + }; + systemd.services.namecoind = { description = "Namecoind Daemon"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; + preStart = '' + if [ "$(stat --printf '%u' ${cfg.userFile})" != "${toString config.ids.uids.namecoin}" \ + -o "$(stat --printf '%g' ${cfg.userFile})" != "${toString config.ids.gids.namecoin}" \ + -o "$(stat --printf '%a' ${cfg.userFile})" != "640" ]; then + echo "ERROR: bad ownership or rights on ${cfg.userFile}" >&2 + exit 1 + fi + if [ "$(stat --printf '%u' ${cfg.wallet})" != "${toString config.ids.uids.namecoin}" \ + -o "$(stat --printf '%g' ${cfg.wallet})" != "${toString config.ids.gids.namecoin}" \ + -o "$(stat --printf '%a' ${cfg.wallet})" != "640" ]; then + echo "ERROR: bad ownership or rights on ${cfg.wallet}" >&2 + exit 1 + fi + ''; serviceConfig = { Type = "simple"; User = "namecoin";