movefasta/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-06-15 05:59:17 +03:00
Code Issues Projects Releases Packages Wiki Activity

nixos/doc: mention postgresql hardening

Browse source
This commit is contained in:
Maximilian Bosch 2024-11-01 15:44:27 +01:00
parent 0f1e2a1cd8
commit 70a6092f1e
No known key found for this signature in database
2 changed files with 23 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

18
nixos/modules/services/databases/postgresql.md
View file

@ -364,6 +364,24 @@ postgresql.withJIT.pname
evaluates to `"foobar"`.
## Service hardening {#module-services-postgres-hardening}
The service created by the [`postgresql`-module](#opt-services.postgresql.enable) uses
several common hardening options from `systemd`, most notably:
* Memory pages must not be both writable and executable (this only applies to non-JIT setups).
* A system call filter (see {manpage}`systemd.exec(5)` for details on `@system-service`).
* A stricter default UMask (`0027`).
* Only sockets of type `AF_INET`/`AF_INET6`/`AF_NETLINK`/`AF_UNIX` allowed.
* Restricted filesystem access (private `/tmp`, most of the file-system hierachy is mounted read-only, only process directories in `/proc` that are owned by the same user).
The NixOS module also contains necessary adjustments for extensions from `nixpkgs`
if these are enabled. If an extension or a postgresql feature from `nixpkgs` breaks
with hardening, it's considered a bug.
When using extensions that are not packaged in `nixpkgs`, hardening adjustments may
become necessary.
## Notable differences to upstream {#module-services-postgres-upstream-deviation}
- To avoid circular dependencies between default and -dev outputs, the output of the `pg_config` system view has been removed.