Unverified Commit 8fafc351 authored by rnhmjoj's avatar rnhmjoj
Browse files

resolvconf: reliably set group permissions 

If `resolvconf` is invoked by a process not running with the resolvconf
group as primary group, other processes will run into trouble as files
or directories under /run/resolvconf won't have write permissions.

This ACL rule ensure that resolvconf files, include new files created by
any process, are always accessible by users of the resolvconf group.
parent 31eafaeb

nixos/modules/config/resolvconf.nix

+6 −3
Original line number Diff line number Diff line
@@ -161,9 +161,12 @@ in 


        script = ''

          ${lib.getExe cfg.package} -u

          files=(/run/resolvconf ${lib.escapeShellArgs cfg.subscriberFiles})

          chgrp -R resolvconf "''${files[@]}"

          chmod -R g=u "''${files[@]}"

          chgrp resolvconf ${lib.escapeShellArgs cfg.subscriberFiles}

          chmod g=u ${lib.escapeShellArgs cfg.subscriberFiles}

          ${lib.getExe' pkgs.acl "setfacl"} -R \

            -m group:resolvconf:rwx \

            -m default:group:resolvconf:rwx \

            /run/resolvconf

        '';

      };