23 Sep 2024 |
hexa | just wondering why the fpm needs to run as root | 15:43:46 |
Genghiz | It doesn’t. | 15:44:35 |
Genghiz | I’ve run it as a specific user for a long time on Debian. | 15:44:45 |
Genghiz | It also radically simplifies the systemd service because you can comfortably enable more lockdown options. | 15:45:23 |
Genghiz | Never done it on nixos because it doesn’t make a huge difference. | 15:45:40 |
Genghiz | The only reason I can think for it is because that way you can create the listen socket with group == nginx or caddy independent of the group the main process runs as. | 15:46:24 |
Genghiz | There are ways to have nearly equivalent security even with this setup, but they require some brainpower to come up with. | 15:47:06 |
Pol | I think I saw a couple of PR for hardening some services. I guess this is the reason why hexa is asking this. | 15:53:42 |
hexa | rolling with a unix socket for reverse proxying is probably best in slot | 15:55:28 |
hexa | best not to break that | 16:09:32 |
Genghiz | I mean, one can try it with acls, for one | 16:15:17 |
Genghiz | Another would be to run the process with user:group as php:caddy but keep permissions of 0700 on the data directory | 16:15:59 |
Genghiz | That's how you'd do it for all non-php processes anyway | 16:16:17 |
Genghiz | In reply to @genghiz:cdw.go7box.xyz Another would be to run the process with user:group as php:caddy but keep permissions of 0700 on the data directory Tbh, though, even if you don't do this as long as the webserver is secured well enough you're basically not bothered, I should think. | 16:25:35 |
Genghiz | I'd probably add something like systemd.services.phpfpm-<name>.settings.SupplementaryGroups = [ "nginx" "caddy" "httpd" ]; or some such with if conditions for whether those services are enabled or not. | 16:26:58 |
Genghiz | I've added privatebin in this PR: https://github.com/NixOS/nixpkgs/pull/344014 | 17:52:50 |
26 Sep 2024 |
| vendion joined the room. | 14:19:45 |
27 Sep 2024 |
Genghiz | In reply to @genghiz:cdw.go7box.xyz I've added privatebin in this PR: https://github.com/NixOS/nixpkgs/pull/344014 @drupol:matrix.org Do please have another look whenever you get the time. I’ve responded to your comments.
| 06:10:58 |
Pol | Genghiz: The PR title needs to be updated. NixOS module needs a specific format. Also, when using finalAttrs , you don't need the let...in clause anymore. | 09:32:46 |
Genghiz | In reply to @drupol:matrix.org Genghiz: The PR title needs to be updated. NixOS module needs a specific format. Also, when using finalAttrs , you don't need the let...in clause anymore. I put it through nixfmt and it gave me that as an output. Should I change that? | 09:54:21 |
Genghiz | And I’ll remove the let in from there. | 09:54:34 |
Genghiz | Made the changes, do have a look | 10:04:28 |
28 Sep 2024 |
ma27 | Pol uhm, the three updates apply cleanly (it's just the revert of the soap fix that didn't apply). Am I missing something? | 20:24:53 |
Pol | ma27: Feel free to take over, I have to leave the laptop | 20:30:19 |
ma27 | on it, just waiting for the builds to finish :) | 20:30:44 |
Pol | Oki, thanks | 20:30:54 |
Pol | I'll review it tomorrow | 20:31:01 |
tgerbet | Thanks, to be honest I just opened the PR because it "popped" on my security radar and I saw the usual PHP folks were not it | 20:35:20 |
tgerbet | I can dedicate some capacity to work on the backport if needed 🙂 | 20:36:05 |
ma27 | what confuses me about #345177 is that all the patches are gated behind versionOlder clauses that don't apply for the PHPs we've packaged there. We now have 8.2.24 and 8.3.11, so none of these patches are applied. | 20:40:44 |