diff options
| author | tv <tv@krebsco.de> | 2022-01-04 20:30:02 +0100 |
|---|---|---|
| committer | tv <tv@krebsco.de> | 2022-01-04 20:30:02 +0100 |
| commit | e82cbd6f35c85ce4aeb2e0f4572e6742c536d941 (patch) | |
| tree | 9f0522166853a45bcc6aa78d5f8e1857d78bbb17 /krebs/3modules/exim.nix | |
| parent | d7edeeac5071ae96e60303a76ff32df2fca98db9 (diff) | |
exim: set User= but run as root
LoadCredential= will set the owner of $CREDENTIALS_DIRECTORY and the
credentials to User=. As currently Exim is currently has to be run as
root in order to use the standard SMTP port and for local deliveries[1],
set User=exim, but run all processes as root.
[1]: https://www.exim.org/exim-html-current/doc/html/spec_html/ch-security_considerations.html#SECID270
Diffstat (limited to 'krebs/3modules/exim.nix')
| -rw-r--r-- | krebs/3modules/exim.nix | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/krebs/3modules/exim.nix b/krebs/3modules/exim.nix index 972c7f437..0f0aa67f0 100644 --- a/krebs/3modules/exim.nix +++ b/krebs/3modules/exim.nix @@ -65,8 +65,9 @@ in { config.environment.etc."exim.conf".source ]; serviceConfig = { - ExecStart = "${pkgs.exim}/bin/exim -bdf -q30m"; - ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + ExecStart = "+${pkgs.exim}/bin/exim -bdf -q30m"; + ExecReload = "+${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + User = cfg.user.name; }; wantedBy = [ "multi-user.target" ]; }; |