Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 148e7726be70
Choose a base ref
...
head repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 1a63afd5aa68
Choose a head ref
  • 2 commits
  • 2 files changed
  • 2 contributors

Commits on Nov 21, 2019

  1. nixos/phpfpm: enable PrivateTmp=true 

    This seems to be mostly a pre - #57677 relict. As postgresql sockets now
are not in /tmp anymore, isolate /tmp.
    @flokli
    flokli committed Nov 21, 2019
    Copy the full SHA
    4321a88 View commit details

Commits on Nov 22, 2019

  1. Merge pull request #73886 from flokli/phpfpm-privatetmp 

    nixos/phpfpm: enable PrivateTmp=true
    @fpletz
    fpletz authored Nov 22, 2019
    Copy the full SHA
    1a63afd View commit details
Showing with 9 additions and 0 deletions.
  1. +8 −0 nixos/doc/manual/release-notes/rl-2003.xml
  2. +1 −0 nixos/modules/services/web-servers/phpfpm/default.nix
8 changes: 8 additions & 0 deletions nixos/doc/manual/release-notes/rl-2003.xml
View file
Original file line number Diff line number Diff line change
@@ -163,6 +163,14 @@
time during the releases development (if viable).
</para>
</listitem>
<listitem>
<para>
The <link linkend="opt-services.phpfpm.pools">phpfpm</link> module now sets
<literal>PrivateTmp=true</literal> in its systemd units for better process isolation.
If you rely on <literal>/tmp</literal> being shared with other services, explicitly override this by
setting <literal>serviceConfig.PrivateTmp</literal> to <literal>false</literal> for each phpfpm unit.
</para>
</listitem>
</itemizedlist>
</section>

1 change: 1 addition & 0 deletions nixos/modules/services/web-servers/phpfpm/default.nix
View file
Original file line number Diff line number Diff line change
@@ -262,6 +262,7 @@ in {
in {
Slice = "phpfpm.slice";
PrivateDevices = true;
PrivateTmp = true;
ProtectSystem = "full";
ProtectHome = true;
# XXX: We need AF_NETLINK to make the sendmail SUID binary from postfix work