Open kr-nn opened 2 weeks ago
eclairevoyant
commented
2 weeks ago Nix does not permit setcap, so that's not possible.
What is possible is, if you use NixOS, use security.wrappers options accordingly.
This could potentially be done in the main module but I'd want reviewers/maintainers to look into the security risks with that.
If you're not on NixOS, this is would not be handled by nixpkgs at all.
kr-nn
commented
2 weeks ago I did a bit of digging and it may be possible with a systemd option ambientCapabilities and might be more suited to the service module.
I agree with the security implications which is why I figured a non-default pkg would be better suited, likely with a warning about the security issues of setting those capabilities.
Im not sure what other things might be affected though. Im pretty new to nixos and learning a bunch of things.
rnhmjoj
commented
3 days ago I did a bit of digging and it may be possible with a systemd option ambientCapabilities and might be more suited to the service module.
This is the proper way to go, especially considering syncthing has a NixOS module and virtually everyone runs it as a systemd service.
syncthing as a service is already quite useful but a problem that exists is the permission to update permissions on files by syncing ownership and such.
syncthing sometimes requires setcap CAP_CHOWN,CAP_FOWNER=pe https://docs.syncthing.net/advanced/folder-sync-ownership
Would be useful to have a second syncthing binary with setcap permissions set. (or alternatively set them on the main package, im not sure of the downsides in doing this)