JakeHillion/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

nixos/munge: run munge as user munge instead of root. (#41509)

Browse Source 
* Added a note in release notes (incompatibilities)
* Adapt slurm test
* Change user to munge in service.munge
This commit is contained in:
markuskowa 2018-06-09 00:50:28 +02:00 committed by xeji
parent b22c1b7994
commit 96af022af5
3 changed files with 22 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
nixos/doc/manual/release-notes/rl-1809.xml
View File

@ -121,6 +121,12 @@ $ nix-instantiate -E '(import <nixpkgsunstable> {}).gitFull'
<literal>gnucash24</literal>. <literal>gnucash24</literal>.
</para> </para>
</listitem> </listitem>
<listitem>
<para>
<varname>services.munge</varname> now runs as user (and group) <literal>munge</literal> instead of root.
Make sure the key file is accessible to the daemon.
</para>
</listitem>
</itemizedlist> </itemizedlist>
</section> </section>

16
nixos/modules/services/security/munge.nix
View File

@ -35,7 +35,15 @@ in
environment.systemPackages = [ pkgs.munge ]; environment.systemPackages = [ pkgs.munge ];
systemd.services.munged = { users.users.munge = {
description = "Munge daemon user";
isSystemUser = true;
group = "munge";
};
users.groups.munge = {};
systemd.services.munged = {
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
after = [ "network.target" ]; after = [ "network.target" ];
@ -44,14 +52,20 @@ in
preStart = '' preStart = ''
chmod 0700 ${cfg.password} chmod 0700 ${cfg.password}
mkdir -p /var/lib/munge -m 0711 mkdir -p /var/lib/munge -m 0711
chown -R munge:munge /var/lib/munge
mkdir -p /var/log/munge -m 0700 mkdir -p /var/log/munge -m 0700
chown -R munge:munge /var/log/munge
mkdir -p /run/munge -m 0755 mkdir -p /run/munge -m 0755
chown -R munge:munge /run/munge
''; '';
serviceConfig = { serviceConfig = {
ExecStart = "${pkgs.munge}/bin/munged --syslog --key-file ${cfg.password}"; ExecStart = "${pkgs.munge}/bin/munged --syslog --key-file ${cfg.password}";
PIDFile = "/run/munge/munged.pid"; PIDFile = "/run/munge/munged.pid";
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
PermissionsStartOnly = "true";
User = "munge";
Group = "munge";
}; };
}; };

1
nixos/tests/slurm.nix
View File

@ -61,6 +61,7 @@ in {
$node->succeed("mkdir /etc/munge"); $node->succeed("mkdir /etc/munge");
$node->succeed("echo '${mungekey}' > /etc/munge/munge.key"); $node->succeed("echo '${mungekey}' > /etc/munge/munge.key");
$node->succeed("chmod 0400 /etc/munge/munge.key"); $node->succeed("chmod 0400 /etc/munge/munge.key");
$node->succeed("chown munge:munge /etc/munge/munge.key");
$node->succeed("systemctl restart munged"); $node->succeed("systemctl restart munged");
} }