From aaa045714c53964418d667aa152196a82a65cc5a Mon Sep 17 00:00:00 2001 From: euxane Date: Thu, 1 Aug 2024 07:24:53 +0200 Subject: [PATCH 1/7] nixos/fcgiwrap-instances: backport isolated multi-instance module This backports the options `services.fcgiwrap.instances.*`, allowing to configure isolated instances of fcgiwrap, as an alternative to the global shared one. This prepares the deprecation of the latter. Backport of: commit efc7aebda7f85f67b52cc334066c6dd344371103 nixos/fcgiwrap: require explicit owner for UNIX sockets commit 4f2da6c9c17d75ba43fbe85d5243a57735a5e4eb nixos/fcgiwrap: add option migration instruction errors (partial: move to instances) commit 51b246a1acd4ce4926b8a78e3e7e0e6927d546ff nixos/fcgiwrap: do not run as root by default commit 81f72015f0b96b1227a2de38409049fba0e73aad nixos/fcgiwrap: add unix socket owner, private by default commit 289c1585c2a1f9ff9e159cbcdab664620dc9f7b3 nixos/fcgiwrap: limit prefork type to positives commit 3955eaf45015c9dd8a5a59412bf9c5e47b789a65 nixos/fcgiwrap: improve readability of CLI args commit 022289f2fadb3a3bad83273cd45d8a3e4753991e nixos/fcgiwrap: group options logically, fix doc commit 41419ca2883f7a3294711faf4961d043868e27ef nixos/fcgiwrap: refactor for multiple instances --- nixos/modules/module-list.nix | 1 + .../web-servers/fcgiwrap-instances.nix | 136 ++++++++++++++++++ 2 files changed, 137 insertions(+) create mode 100644 nixos/modules/services/web-servers/fcgiwrap-instances.nix diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 2479b219a3bc2..0cff23251a095 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -1456,6 +1456,7 @@ ./services/web-servers/caddy/default.nix ./services/web-servers/darkhttpd.nix ./services/web-servers/fcgiwrap.nix + ./services/web-servers/fcgiwrap-instances.nix ./services/web-servers/garage.nix ./services/web-servers/hitch/default.nix ./services/web-servers/hydron.nix diff --git a/nixos/modules/services/web-servers/fcgiwrap-instances.nix b/nixos/modules/services/web-servers/fcgiwrap-instances.nix new file mode 100644 index 0000000000000..4c02af7867d54 --- /dev/null +++ b/nixos/modules/services/web-servers/fcgiwrap-instances.nix @@ -0,0 +1,136 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + forEachInstance = f: flip mapAttrs' config.services.fcgiwrap.instances ( + name: cfg: nameValuePair "fcgiwrap-${name}" (f cfg) + ); + +in { + options.services.fcgiwrap.instances = mkOption { + description = "Configuration for fcgiwrap instances."; + default = { }; + type = types.attrsOf (types.submodule ({ config, ... }: { options = { + process.prefork = mkOption { + type = types.ints.positive; + default = 1; + description = "Number of processes to prefork."; + }; + + process.user = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + User as which this instance of fcgiwrap will be run. + Set to `null` (the default) to use a dynamically allocated user. + ''; + }; + + process.group = mkOption { + type = types.nullOr types.str; + default = null; + description = "Group as which this instance of fcgiwrap will be run."; + }; + + socket.type = mkOption { + type = types.enum [ "unix" "tcp" "tcp6" ]; + default = "unix"; + description = "Socket type: 'unix', 'tcp' or 'tcp6'."; + }; + + socket.address = mkOption { + type = types.str; + default = "/run/fcgiwrap-${config._module.args.name}.sock"; + example = "1.2.3.4:5678"; + description = '' + Socket address. + In case of a UNIX socket, this should be its filesystem path. + ''; + }; + + socket.user = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + User to be set as owner of the UNIX socket. + ''; + }; + + socket.group = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Group to be set as owner of the UNIX socket. + ''; + }; + + socket.mode = mkOption { + type = types.nullOr types.str; + default = if config.socket.type == "unix" then "0600" else null; + defaultText = literalExpression '' + if config.socket.type == "unix" then "0600" else null + ''; + description = '' + Mode to be set on the UNIX socket. + Defaults to private to the socket's owner. + ''; + }; + }; })); + }; + + config = { + assertions = concatLists (mapAttrsToList (name: cfg: [ + { + assertion = cfg.socket.type == "unix" -> cfg.socket.user != null; + message = "Socket owner is required for the UNIX socket type."; + } + { + assertion = cfg.socket.type == "unix" -> cfg.socket.group != null; + message = "Socket owner is required for the UNIX socket type."; + } + { + assertion = cfg.socket.user != null -> cfg.socket.type == "unix"; + message = "Socket owner can only be set for the UNIX socket type."; + } + { + assertion = cfg.socket.group != null -> cfg.socket.type == "unix"; + message = "Socket owner can only be set for the UNIX socket type."; + } + { + assertion = cfg.socket.mode != null -> cfg.socket.type == "unix"; + message = "Socket mode can only be set for the UNIX socket type."; + } + ]) config.services.fcgiwrap.instances); + + systemd.services = forEachInstance (cfg: { + after = [ "nss-user-lookup.target" ]; + wantedBy = optional (cfg.socket.type != "unix") "multi-user.target"; + + serviceConfig = { + ExecStart = '' + ${pkgs.fcgiwrap}/sbin/fcgiwrap ${cli.toGNUCommandLineShell {} ({ + c = cfg.process.prefork; + } // (optionalAttrs (cfg.socket.type != "unix") { + s = "${cfg.socket.type}:${cfg.socket.address}"; + }))} + ''; + } // (if cfg.process.user != null then { + User = cfg.process.user; + Group = cfg.process.group; + } else { + DynamicUser = true; + }); + }); + + systemd.sockets = forEachInstance (cfg: mkIf (cfg.socket.type == "unix") { + wantedBy = [ "sockets.target" ]; + socketConfig = { + ListenStream = cfg.socket.address; + SocketUser = cfg.socket.user; + SocketGroup = cfg.socket.group; + SocketMode = cfg.socket.mode; + }; + }); + }; +} From 0cb1143443bdadeef1cd62f90219c2db5d898e1e Mon Sep 17 00:00:00 2001 From: euxane Date: Thu, 1 Aug 2024 07:24:53 +0200 Subject: [PATCH 2/7] nixos/fcgiwrap: add deprecation notice and security warning This deprecates the use of the global shared instance of fcgiwrap, due to its security issues (running as root by default, actually insecure control socket, allowing local remote escalation privileges, with no fix due to the multiple consumers). A warning is added to encourage users to migrate to properly isolated instances (`services.fcgiwrap.instances.*`). --- .../modules/services/web-servers/fcgiwrap.nix | 27 ++++++++++++++----- 1 file changed, 21 insertions(+), 6 deletions(-) diff --git a/nixos/modules/services/web-servers/fcgiwrap.nix b/nixos/modules/services/web-servers/fcgiwrap.nix index 3250e9c05ed66..aa0623c3328d5 100644 --- a/nixos/modules/services/web-servers/fcgiwrap.nix +++ b/nixos/modules/services/web-servers/fcgiwrap.nix @@ -4,6 +4,12 @@ with lib; let cfg = config.services.fcgiwrap; + deprecationNote = '' + + This global instance option is deprecated in favour of per-instance + options configured through `services.fcgiwrap.instances.*`. + ''; + in { options = { @@ -11,43 +17,52 @@ in { enable = mkOption { type = types.bool; default = false; - description = "Whether to enable fcgiwrap, a server for running CGI applications over FastCGI."; + description = "Whether to enable fcgiwrap, a server for running CGI applications over FastCGI." + deprecationNote; }; preforkProcesses = mkOption { type = types.int; default = 1; - description = "Number of processes to prefork."; + description = "Number of processes to prefork." + deprecationNote; }; socketType = mkOption { type = types.enum [ "unix" "tcp" "tcp6" ]; default = "unix"; - description = "Socket type: 'unix', 'tcp' or 'tcp6'."; + description = "Socket type: 'unix', 'tcp' or 'tcp6'." + deprecationNote; }; socketAddress = mkOption { type = types.str; default = "/run/fcgiwrap.sock"; example = "1.2.3.4:5678"; - description = "Socket address. In case of a UNIX socket, this should be its filesystem path."; + description = "Socket address. In case of a UNIX socket, this should be its filesystem path." + deprecationNote; }; user = mkOption { type = types.nullOr types.str; default = null; - description = "User permissions for the socket."; + description = "User permissions for the socket." + deprecationNote; }; group = mkOption { type = types.nullOr types.str; default = null; - description = "Group permissions for the socket."; + description = "Group permissions for the socket." + deprecationNote; }; }; }; config = mkIf cfg.enable { + warnings = [ + '' + The fcgiwrap module is configured with a global shared instance. + This has security implications: . + Isolated instances should instead be configured through `services.fcgiwrap.instances.*'. + The global options at `services.fcgiwrap.*` will be removed in NixOS 24.11. + '' + ]; + systemd.services.fcgiwrap = { after = [ "nss-user-lookup.target" ]; wantedBy = optional (cfg.socketType != "unix") "multi-user.target"; From 6a8e12421c0e3fa868f3e972b9093fc62788f642 Mon Sep 17 00:00:00 2001 From: euxane Date: Thu, 1 Aug 2024 07:24:53 +0200 Subject: [PATCH 3/7] nixos/smokeping: use isolated fcgiwrap instance This makes the CGI part of smokeping run as the unprivileged "smokeping" user like the rest of the service (instead of root). This also sets proper permissions for the fcgiwrap control socket. Backport of: commit 4f2da6c9c17d75ba43fbe85d5243a57735a5e4eb nixos/fcgiwrap: add option migration instruction errors (partial: move to instances) commit c5dc3e203410bc3bfc77182cd8c6955b1bd64cfd nixos/fcgiwrap: adapt consumer modules and tests commit 8101ae41f8cefce9e518a550881302c4f58a8c5b nixos/fcgiwrap: adapt consumer modules and tests commit bf2ad6f48c95eea96768cc62dda7c6eb2097cbf4 nixos/fcgiwrap: adapt consumer modules and tests --- nixos/modules/services/networking/smokeping.nix | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/nixos/modules/services/networking/smokeping.nix b/nixos/modules/services/networking/smokeping.nix index 3fb3eac45cc82..9973c8cefbbcd 100644 --- a/nixos/modules/services/networking/smokeping.nix +++ b/nixos/modules/services/networking/smokeping.nix @@ -328,6 +328,7 @@ in }; preStart = '' mkdir -m 0755 -p ${smokepingHome}/cache ${smokepingHome}/data + chown -R ${cfg.user}:${cfg.user} ${smokepingHome}/{cache,data} ln -snf ${cfg.package}/htdocs/css ${smokepingHome}/css ln -snf ${cfg.package}/htdocs/js ${smokepingHome}/js ln -snf ${cgiHome} ${smokepingHome}/smokeping.fcgi @@ -337,7 +338,11 @@ in }; # use nginx to serve the smokeping web service - services.fcgiwrap.enable = mkIf cfg.webService true; + services.fcgiwrap.instances.smokeping = mkIf cfg.webService { + process.user = cfg.user; + process.group = cfg.user; + socket = { inherit (config.services.nginx) user group; }; + }; services.nginx = mkIf cfg.webService { enable = true; virtualHosts."smokeping" = { @@ -349,7 +354,7 @@ in locations."/smokeping.fcgi" = { extraConfig = '' include ${config.services.nginx.package}/conf/fastcgi_params; - fastcgi_pass unix:${config.services.fcgiwrap.socketAddress}; + fastcgi_pass unix:${config.services.fcgiwrap.instances.smokeping.socket.address}; fastcgi_param SCRIPT_FILENAME ${smokepingHome}/smokeping.fcgi; fastcgi_param DOCUMENT_ROOT ${smokepingHome}; ''; From 483dd7e3c642d0b71f7dce536b4255f0669d028c Mon Sep 17 00:00:00 2001 From: euxane Date: Thu, 1 Aug 2024 07:24:53 +0200 Subject: [PATCH 4/7] nixos/zoneminder: use isolated fcgiwrap instance Backport of: commit fcb2a4a5fff1903d403955a9753a34f79bb24455 nixos/zoneminder: set fcgiwrap socket owner commit 4f2da6c9c17d75ba43fbe85d5243a57735a5e4eb nixos/fcgiwrap: add option migration instruction errors (partial: move to instances) commit 8101ae41f8cefce9e518a550881302c4f58a8c5b nixos/fcgiwrap: adapt consumer modules and tests commit bf2ad6f48c95eea96768cc62dda7c6eb2097cbf4 nixos/fcgiwrap: adapt consumer modules and tests --- nixos/modules/services/misc/zoneminder.nix | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/nixos/modules/services/misc/zoneminder.nix b/nixos/modules/services/misc/zoneminder.nix index d09cd87febfff..469af04d106d0 100644 --- a/nixos/modules/services/misc/zoneminder.nix +++ b/nixos/modules/services/misc/zoneminder.nix @@ -202,10 +202,11 @@ in { ]; services = { - fcgiwrap = lib.mkIf useNginx { - enable = true; - preforkProcesses = cfg.cameras; - inherit user group; + fcgiwrap.instances.zoneminder = lib.mkIf useNginx { + process.prefork = cfg.cameras; + process.user = user; + process.group = group; + socket = { inherit (config.services.nginx) user group; }; }; mysql = lib.mkIf cfg.database.createLocally { @@ -225,9 +226,7 @@ in { default = true; root = "${pkg}/share/zoneminder/www"; listen = [ { addr = "0.0.0.0"; inherit (cfg) port; } ]; - extraConfig = let - fcgi = config.services.fcgiwrap; - in '' + extraConfig = '' index index.php; location / { @@ -257,7 +256,7 @@ in { fastcgi_param HTTP_PROXY ""; fastcgi_intercept_errors on; - fastcgi_pass ${fcgi.socketType}:${fcgi.socketAddress}; + fastcgi_pass unix:${config.services.fcgiwrap.instances.zoneminder.socket.address}; } location /cache/ { From 31cdff5bafec3425fc1b81ad570f97bf4c10d53a Mon Sep 17 00:00:00 2001 From: euxane Date: Thu, 1 Aug 2024 07:24:53 +0200 Subject: [PATCH 5/7] nixos/cgit: use isolated fcgiwrap instance, add user/group options This adds options to set the users and groups as which cgit instances run, allowing the use of an unprivileged user instead of root. "root" is kept as the default user to avoid breaking existing setups, but a warning is shown in that case to alert the user. Backport of: commit 4f2da6c9c17d75ba43fbe85d5243a57735a5e4eb nixos/fcgiwrap: add option migration instruction errors (partial: move to instances) commit 3d10deb7a5631e057bb5d84b5a6bd8fdf361a00a nixos/cgit: fix GIT_PROJECT_ROOT ownership commit 2d8626bf0a35659a480c1a92bbd2682625a66e0f nixos/cgit: configurable user instead of root commit c5dc3e203410bc3bfc77182cd8c6955b1bd64cfd nixos/fcgiwrap: adapt consumer modules and tests commit 8101ae41f8cefce9e518a550881302c4f58a8c5b nixos/fcgiwrap: adapt consumer modules and tests commit bf2ad6f48c95eea96768cc62dda7c6eb2097cbf4 nixos/fcgiwrap: adapt consumer modules and tests --- nixos/modules/services/networking/cgit.nix | 103 +++++++++++++++------ 1 file changed, 75 insertions(+), 28 deletions(-) diff --git a/nixos/modules/services/networking/cgit.nix b/nixos/modules/services/networking/cgit.nix index 0ccbef756812e..6f15e92aa2c43 100644 --- a/nixos/modules/services/networking/cgit.nix +++ b/nixos/modules/services/networking/cgit.nix @@ -25,14 +25,14 @@ let regexLocation = cfg: regexEscape (stripLocation cfg); - mkFastcgiPass = cfg: '' + mkFastcgiPass = name: cfg: '' ${if cfg.nginx.location == "/" then '' fastcgi_param PATH_INFO $uri; '' else '' fastcgi_split_path_info ^(${regexLocation cfg})(/.+)$; fastcgi_param PATH_INFO $fastcgi_path_info; '' - }fastcgi_pass unix:${config.services.fcgiwrap.socketAddress}; + }fastcgi_pass unix:${config.services.fcgiwrap.instances."cgit-${name}".socket.address}; ''; cgitrcLine = name: value: "${name}=${ @@ -72,25 +72,11 @@ let ${cfg.extraConfig} ''; - mkCgitReposDir = cfg: - if cfg.scanPath != null then - cfg.scanPath - else - pkgs.runCommand "cgit-repos" { - preferLocalBuild = true; - allowSubstitutes = false; - } '' - mkdir -p "$out" - ${ - concatStrings ( - mapAttrsToList - (name: value: '' - ln -s ${escapeShellArg value.path} "$out"/${escapeShellArg name} - '') - cfg.repos - ) - } - ''; + fcgiwrapUnitName = name: "fcgiwrap-cgit-${name}"; + fcgiwrapRuntimeDir = name: "/run/${fcgiwrapUnitName name}"; + gitProjectRoot = name: cfg: if cfg.scanPath != null + then cfg.scanPath + else "${fcgiwrapRuntimeDir name}/repos"; in { @@ -154,6 +140,30 @@ in type = types.lines; default = ""; }; + + user = mkOption { + description = '' + User to run the cgit service as. + + Defaults to "root" for compatibility with legacy setups. + Will default to the unprivileged user "cgit" in NixOS 24.11. + ''; + type = types.str; + default = "root"; + example = "cgit"; + }; + + group = mkOption { + description = '' + Group to run the cgit service as. + + Defaults to "root" for compatibility with legacy setups. + Will default to the unprivileged user "cgit" in NixOS 24.11. + ''; + type = types.str; + default = "root"; + example = "cgit"; + }; }; })); }; @@ -165,18 +175,55 @@ in message = "Exactly one of services.cgit.${vhost}.scanPath or services.cgit.${vhost}.repos must be set."; }) cfgs; - services.fcgiwrap.enable = true; + warnings = flatten (flip mapAttrsToList cfgs (inst: cfg: + optional (cfg.user == "root") '' + `services.cgit.${inst}` is configured to run as root. + This has security implications: . + It is recommended to set an unprivileged user explicitly. + This default user will be set to "cgit" in NixOS 24.11. + '' + )); + + users = mkMerge (flip mapAttrsToList cfgs (_: cfg: { + users.${cfg.user} = { + isSystemUser = true; + inherit (cfg) group; + }; + groups.${cfg.group} = { }; + })); + + services.fcgiwrap.instances = flip mapAttrs' cfgs (name: cfg: + nameValuePair "cgit-${name}" { + process = { inherit (cfg) user group; }; + socket = { inherit (config.services.nginx) user group; }; + } + ); + + systemd.services = flip mapAttrs' cfgs (name: cfg: + nameValuePair (fcgiwrapUnitName name) + (mkIf (cfg.repos != { }) { + serviceConfig.RuntimeDirectory = fcgiwrapUnitName name; + preStart = '' + GIT_PROJECT_ROOT=${escapeShellArg (gitProjectRoot name cfg)} + mkdir -p "$GIT_PROJECT_ROOT" + cd "$GIT_PROJECT_ROOT" + ${concatLines (flip mapAttrsToList cfg.repos (name: repo: '' + ln -s ${escapeShellArg repo.path} ${escapeShellArg name} + ''))} + ''; + } + )); services.nginx.enable = true; - services.nginx.virtualHosts = mkMerge (mapAttrsToList (_: cfg: { + services.nginx.virtualHosts = mkMerge (mapAttrsToList (name: cfg: { ${cfg.nginx.virtualHost} = { locations = ( genAttrs' [ "cgit.css" "cgit.png" "favicon.ico" "robots.txt" ] - (name: nameValuePair "= ${stripLocation cfg}/${name}" { + (fileName: nameValuePair "= ${stripLocation cfg}/${fileName}" { extraConfig = '' - alias ${cfg.package}/cgit/${name}; + alias ${cfg.package}/cgit/${fileName}; ''; }) ) // { @@ -184,10 +231,10 @@ in fastcgiParams = rec { SCRIPT_FILENAME = "${pkgs.git}/libexec/git-core/git-http-backend"; GIT_HTTP_EXPORT_ALL = "1"; - GIT_PROJECT_ROOT = mkCgitReposDir cfg; + GIT_PROJECT_ROOT = gitProjectRoot name cfg; HOME = GIT_PROJECT_ROOT; }; - extraConfig = mkFastcgiPass cfg; + extraConfig = mkFastcgiPass name cfg; }; "${stripLocation cfg}/" = { fastcgiParams = { @@ -196,7 +243,7 @@ in HTTP_HOST = "$server_name"; CGIT_CONFIG = mkCgitrc cfg; }; - extraConfig = mkFastcgiPass cfg; + extraConfig = mkFastcgiPass name cfg; }; }; }; From fee11ef959adac33aa2bca8ccbb7dda918fce8f6 Mon Sep 17 00:00:00 2001 From: euxane Date: Thu, 8 Aug 2024 02:22:48 +0200 Subject: [PATCH 6/7] nixos/fcgiwrap: fail eval with security assertion This adds a security assertion when using the global instance of fcgiwrap, which is vulnerable to a local privilege escalation. This is in addition to the current evaluation warning, and is more in line with being loud with security issues, similarly to with vulnerable packages. The evaluation failure can nevertheless be bypassed by setting: `services.fcgiwrap.allowGlobalInstanceLocalPrivilegeEscalation = true`. --- .../modules/services/web-servers/fcgiwrap.nix | 34 +++++++++++++++---- 1 file changed, 27 insertions(+), 7 deletions(-) diff --git a/nixos/modules/services/web-servers/fcgiwrap.nix b/nixos/modules/services/web-servers/fcgiwrap.nix index aa0623c3328d5..290bcfd9b65c1 100644 --- a/nixos/modules/services/web-servers/fcgiwrap.nix +++ b/nixos/modules/services/web-servers/fcgiwrap.nix @@ -9,6 +9,12 @@ let This global instance option is deprecated in favour of per-instance options configured through `services.fcgiwrap.instances.*`. ''; + securityWarning = '' + The fcgiwrap module is configured with a global shared instance. + This has security implications: . + Isolated instances should instead be configured through `services.fcgiwrap.instances.*'. + The global options at `services.fcgiwrap.*` will be removed in NixOS 24.11. + ''; in { @@ -20,6 +26,17 @@ in { description = "Whether to enable fcgiwrap, a server for running CGI applications over FastCGI." + deprecationNote; }; + allowGlobalInstanceLocalPrivilegeEscalation = mkOption { + type = types.bool; + default = false; + description = '' + The global instance of fcgiwrap configured through this module + has a local privilege escalation vulnerability. + Set this option to true to accept the risk and bypass the evaluation + failure regardless. + ''; + }; + preforkProcesses = mkOption { type = types.int; default = 1; @@ -54,15 +71,18 @@ in { }; config = mkIf cfg.enable { - warnings = [ - '' - The fcgiwrap module is configured with a global shared instance. - This has security implications: . - Isolated instances should instead be configured through `services.fcgiwrap.instances.*'. - The global options at `services.fcgiwrap.*` will be removed in NixOS 24.11. - '' + assertions = [ + { + assertion = cfg.allowGlobalInstanceLocalPrivilegeEscalation; + message = securityWarning + '' + To temporarily accept the risk and continue using the global instance, + set `services.fcgiwrap.allowGlobalInstanceLocalPrivilegeEscalation` to true. + ''; + } ]; + warnings = [ securityWarning ]; + systemd.services.fcgiwrap = { after = [ "nss-user-lookup.target" ]; wantedBy = optional (cfg.socketType != "unix") "multi-user.target"; From 8931f18bfaf75e25009b9028657e18de334fe2c5 Mon Sep 17 00:00:00 2001 From: euxane Date: Sat, 31 Aug 2024 17:15:42 +0200 Subject: [PATCH 7/7] nixos/fcgiwrap: add security advisory links to messages --- nixos/modules/services/networking/cgit.nix | 2 +- nixos/modules/services/web-servers/fcgiwrap.nix | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/nixos/modules/services/networking/cgit.nix b/nixos/modules/services/networking/cgit.nix index 6f15e92aa2c43..c4ecc86c12353 100644 --- a/nixos/modules/services/networking/cgit.nix +++ b/nixos/modules/services/networking/cgit.nix @@ -178,7 +178,7 @@ in warnings = flatten (flip mapAttrsToList cfgs (inst: cfg: optional (cfg.user == "root") '' `services.cgit.${inst}` is configured to run as root. - This has security implications: . + This has security implications. See advisory: https://discourse.nixos.org/t/51419 It is recommended to set an unprivileged user explicitly. This default user will be set to "cgit" in NixOS 24.11. '' diff --git a/nixos/modules/services/web-servers/fcgiwrap.nix b/nixos/modules/services/web-servers/fcgiwrap.nix index 290bcfd9b65c1..1c89ae261bee1 100644 --- a/nixos/modules/services/web-servers/fcgiwrap.nix +++ b/nixos/modules/services/web-servers/fcgiwrap.nix @@ -11,7 +11,7 @@ let ''; securityWarning = '' The fcgiwrap module is configured with a global shared instance. - This has security implications: . + This has security implications. See advisory: https://discourse.nixos.org/t/51419 Isolated instances should instead be configured through `services.fcgiwrap.instances.*'. The global options at `services.fcgiwrap.*` will be removed in NixOS 24.11. '';