Harden module, use systemd.tmpfiles to create dirs

Infinidoge / nix-minecraft

An attempt to better support Minecraft-related content for the Nix ecosystem

MIT License

172 stars 18 forks source link

Harden module, use systemd.tmpfiles to create dirs #39

Closed Misterio77 closed 8 months ago

Misterio77 commented 1 year ago

This PR hardens the minecraft service, and in that process uses systemd to create directories (and set permissions), instead of relying on scripts.

Try running systemd-analyze security, and you'll see that the current score is < 1. With this PR, it increases to 3.

I also changed the umask from 002 to 007, this means new files will be 770 and not 775. I think this is better, as other users (that are not in the group) should not have any access to the files whatsoever.

Misterio77 commented 1 year ago

You can check this commit passes the tests by cherry-picking the tests branch:

git fetch git@github.com:misterio77/nix-minecraft tests
git cherry-pick -n FETCH_HEAD

nix flake check

git reset --hard

Infinidoge commented 1 year ago

TIL systemd-analyze security exists. Sometimes I wonder what commands aren't in systemd.