From ef29938bf39394e3835b2b4afb6bd167fc838c27 Mon Sep 17 00:00:00 2001 From: Molly Miller Date: Mon, 25 Nov 2024 10:07:45 +0100 Subject: [PATCH] nixos/frr: make runtime directory world-readable FRR intends for non-root users to connect to the VTY sockets if they are members of the frrvty group, however this is not possible if non-root/non-frr users cannot access the runtime directory. The sockets used by the FRR daemons for internal IPC are also created in the runtime directory, however these are created with appropriately restrictive permissions to prevent interference. --- nixos/modules/services/networking/frr.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/modules/services/networking/frr.nix b/nixos/modules/services/networking/frr.nix index a70d1dd6554fdf..3ffd1c3f070a51 100644 --- a/nixos/modules/services/networking/frr.nix +++ b/nixos/modules/services/networking/frr.nix @@ -220,7 +220,7 @@ in ''; }; - systemd.tmpfiles.rules = [ "d /run/frr 0750 frr frr -" ]; + systemd.tmpfiles.rules = [ "d /run/frr 0755 frr frr -" ]; systemd.services.frr = { description = "FRRouting";