Commit efc7aebd authored by euxane's avatar euxane Committed by Herwig Hochleitner
Browse files

nixos/fcgiwrap: require explicit owner for UNIX sockets 

The default in the previous option documentation was incorrect,
resulting in the UNIX socket to be unreachable except by root by
default.

This fixes the documentation and requires consumers to set values
explicitly for the socket's owning user and group.
parent 4f2da6c9

nixos/modules/services/web-servers/fcgiwrap.nix

+8 −2
Original line number Diff line number Diff line
@@ -68,7 +68,6 @@ in { 
        default = null;

        description = ''

          User to be set as owner of the UNIX socket.

          Defaults to the process running user.

        '';

      };
@@ -77,7 +76,6 @@ in { 
        default = null;

        description = ''

          Group to be set as owner of the UNIX socket.

          Defaults to the process running group.

        '';

      };
@@ -97,6 +95,14 @@ in { 


  config = {

    assertions = concatLists (mapAttrsToList (name: cfg: [

      {

        assertion = cfg.socket.type == "unix" -> cfg.socket.user != null;

        message = "Socket owner is required for the UNIX socket type.";

      }

      {

        assertion = cfg.socket.type == "unix" -> cfg.socket.group != null;

        message = "Socket owner is required for the UNIX socket type.";

      }

      {

        assertion = cfg.socket.user != null -> cfg.socket.type == "unix";

        message = "Socket owner can only be set for the UNIX socket type.";