mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-09-29 15:43:00 +00:00
Addressing PR feedback
This commit is contained in:
parent
9de070e620
commit
e92b8402b0
@ -202,7 +202,7 @@ following incompatible changes:</para>
|
||||
|
||||
<listitem>
|
||||
<para>The directory container setuid wrapper programs,
|
||||
<filename>/var/permissions-wrappers</filename>, <link
|
||||
<filename>/var/setuid-wrappers</filename>, <link
|
||||
xlink:href="https://github.com/NixOS/nixpkgs/pull/18124">is now
|
||||
updated atomically to prevent failures if the switch to a new
|
||||
configuration is interrupted.</link></para>
|
||||
|
@ -15,6 +15,14 @@ has the following highlights: </para>
|
||||
xlink:href="https://nixos.org/nixpkgs/manual/#sec-overlays-install">Nixpkgs
|
||||
manual</link> for more information.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
|
||||
<para>Setting capabilities on programs is now supported with a
|
||||
<literal>setcap-wrapper</literal> functionality. This
|
||||
functionality and the <literal>setuid-wrapper</literal> are merged
|
||||
into a single "wrappers" module.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>The following new services were added since the last release:</para>
|
||||
|
@ -168,8 +168,8 @@ in
|
||||
|
||||
${cfg.extraInit}
|
||||
|
||||
# The setuid wrappers override other bin directories.
|
||||
export PATH="${config.security.permissionsWrapperDir}:$PATH"
|
||||
# The setuid/setcap wrappers override other bin directories.
|
||||
export PATH="${config.security.wrapperDir}:$PATH"
|
||||
|
||||
# ~/bin if it exists overrides other bin directories.
|
||||
export PATH="$HOME/bin:$PATH"
|
||||
|
@ -343,7 +343,7 @@ foreach my $fs (read_file("/proc/self/mountinfo")) {
|
||||
|
||||
# Skip special filesystems.
|
||||
next if in($mountPoint, "/proc") || in($mountPoint, "/dev") || in($mountPoint, "/sys") || in($mountPoint, "/run") || $mountPoint eq "/var/lib/nfs/rpc_pipefs";
|
||||
next if $mountPoint eq "/var/permissions-wrappers";
|
||||
next if $mountPoint eq "/run/wrappers";
|
||||
|
||||
# Skip the optional fields.
|
||||
my $n = 6; $n++ while $fields[$n] ne "-"; $n++;
|
||||
|
@ -92,14 +92,13 @@ fi
|
||||
mkdir -m 0755 -p $mountPoint/dev $mountPoint/proc $mountPoint/sys $mountPoint/etc $mountPoint/run $mountPoint/home
|
||||
mkdir -m 01777 -p $mountPoint/tmp
|
||||
mkdir -m 0755 -p $mountPoint/tmp/root
|
||||
mkdir -m 0755 -p $mountPoint/var/permissions-wrappers
|
||||
mkdir -m 0755 -p $mountPoint/var
|
||||
mkdir -m 0700 -p $mountPoint/root
|
||||
mount --rbind /dev $mountPoint/dev
|
||||
mount --rbind /proc $mountPoint/proc
|
||||
mount --rbind /sys $mountPoint/sys
|
||||
mount --rbind / $mountPoint/tmp/root
|
||||
mount -t tmpfs -o "mode=0755" none $mountPoint/run
|
||||
mount -t tmpfs -o "mode=0755" none $mountPoint/var/permissions-wrappers
|
||||
rm -rf $mountPoint/var/run
|
||||
ln -s /run $mountPoint/var/run
|
||||
for f in /etc/resolv.conf /etc/hosts; do rm -f $mountPoint/$f; [ -f "$f" ] && cp -Lf $f $mountPoint/etc/; done
|
||||
@ -260,9 +259,9 @@ chroot $mountPoint /nix/var/nix/profiles/system/activate
|
||||
|
||||
|
||||
# Ask the user to set a root password.
|
||||
if [ -z "$noRootPasswd" ] && chroot $mountPoint [ -x /var/permissions-wrappers/passwd ] && [ -t 0 ]; then
|
||||
if [ -z "$noRootPasswd" ] && chroot $mountPoint [ -x /run/wrappers/passwd ] && [ -t 0 ]; then
|
||||
echo "setting root password..."
|
||||
chroot $mountPoint /var/permissions-wrappers/passwd
|
||||
chroot $mountPoint /run/wrappers/passwd
|
||||
fi
|
||||
|
||||
|
||||
|
@ -113,7 +113,7 @@
|
||||
./security/prey.nix
|
||||
./security/rngd.nix
|
||||
./security/rtkit.nix
|
||||
./security/permissions-wrappers
|
||||
./security/wrappers
|
||||
./security/sudo.nix
|
||||
./services/amqp/activemq/default.nix
|
||||
./services/amqp/rabbitmq.nix
|
||||
|
@ -11,13 +11,6 @@ in
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
environment.systemPackages = [ pkgs.kbdlight ];
|
||||
|
||||
security.permissionsWrappers.setuid =
|
||||
[ { program = "kbdlight";
|
||||
source = "${pkgs.kbdlight.out}/bin/kbdlight";
|
||||
owner = "root";
|
||||
group = "root";
|
||||
setuid = true;
|
||||
}];
|
||||
security.setuidPrograms = [ "kbdlight" ];
|
||||
};
|
||||
}
|
||||
|
@ -21,13 +21,6 @@ in
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
environment.systemPackages = [ pkgs.light ];
|
||||
|
||||
security.permissionsWrappers.setuid =
|
||||
[ { program = "light";
|
||||
source = "${pkgs.light.out}/bin/light";
|
||||
owner = "root";
|
||||
group = "root";
|
||||
setuid = true;
|
||||
}];
|
||||
security.setuidPrograms = [ "light" ];
|
||||
};
|
||||
}
|
||||
|
@ -101,49 +101,9 @@ in
|
||||
chpasswd = { rootOK = true; };
|
||||
};
|
||||
|
||||
|
||||
security.permissionsWrappers.setuid =
|
||||
[
|
||||
{ program = "su";
|
||||
source = "${pkgs.shadow.su}/bin/su";
|
||||
owner = "root";
|
||||
group = "root";
|
||||
setuid = true;
|
||||
}
|
||||
|
||||
{ program = "chfn";
|
||||
source = "${pkgs.shadow.out}/bin/chfn";
|
||||
owner = "root";
|
||||
group = "root";
|
||||
setuid = true;
|
||||
}
|
||||
] ++
|
||||
(lib.optionals config.users.mutableUsers
|
||||
map (x: x // { owner = "root";
|
||||
group = "root";
|
||||
setuid = true;
|
||||
})
|
||||
[
|
||||
{ program = "passwd";
|
||||
source = "${pkgs.shadow.out}/bin/passwd";
|
||||
}
|
||||
|
||||
{ program = "sg";
|
||||
source = "${pkgs.shadow.out}/bin/sg";
|
||||
}
|
||||
|
||||
{ program = "newgrp";
|
||||
source = "${pkgs.shadow.out}/bin/newgrp";
|
||||
}
|
||||
|
||||
{ program = "newuidmap";
|
||||
source = "${pkgs.shadow.out}/bin/newuidmap";
|
||||
}
|
||||
|
||||
{ program = "newgidmap";
|
||||
source = "${pkgs.shadow.out}/bin/newgidmap";
|
||||
}
|
||||
]
|
||||
);
|
||||
security.setuidPrograms = [
|
||||
"su" "chfn" "newuidmap" "newgidmap"
|
||||
] ++ lib.optionals config.users.mutableUsers
|
||||
[ "passwd" "sg" "newgrp" ];
|
||||
};
|
||||
}
|
||||
|
@ -19,7 +19,7 @@ with lib;
|
||||
config = mkIf (cfg.confineSUIDApplications) {
|
||||
security.apparmor.profiles = [ (pkgs.writeText "ping" ''
|
||||
#include <tunables/global>
|
||||
/var/permissions-wrappers/ping {
|
||||
/run/wrappers/ping {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/consoles>
|
||||
#include <abstractions/nameservice>
|
||||
@ -33,7 +33,7 @@ with lib;
|
||||
${pkgs.attr.out}/lib/libattr.so* mr,
|
||||
|
||||
${pkgs.iputils}/bin/ping mixr,
|
||||
/var/permissions-wrappers/ping.real r,
|
||||
/run/wrappers/ping.real r,
|
||||
|
||||
#/etc/modules.conf r,
|
||||
|
||||
|
@ -27,10 +27,6 @@ in
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
environment.systemPackages = [ sandbox ];
|
||||
security.permissionsWrappers.setuid = [
|
||||
{ program = sandbox.passthru.sandboxExecutableName;
|
||||
source = "${sandbox}/bin/${sandbox.passthru.sandboxExecutableName}";
|
||||
}
|
||||
];
|
||||
security.setuidPrograms = [ sandbox.passthru.sandboxExecutableName ];
|
||||
};
|
||||
}
|
||||
|
@ -188,16 +188,7 @@ in
|
||||
|
||||
environment.systemPackages = [ pkgs.duo-unix ];
|
||||
|
||||
security.permissionsWrappers.setuid =
|
||||
[
|
||||
{ program = "login_duo";
|
||||
source = "${pkgs.duo-unix.out}/bin/login_duo";
|
||||
owner = "root";
|
||||
group = "root";
|
||||
setuid = true;
|
||||
}
|
||||
];
|
||||
|
||||
security.setuidPrograms = [ "login_duo" ];
|
||||
environment.etc = loginCfgFile ++ pamCfgFile;
|
||||
|
||||
/* If PAM *and* SSH are enabled, then don't do anything special.
|
||||
|
@ -472,33 +472,14 @@ in
|
||||
++ optionals config.security.pam.enableU2F [ pkgs.pam_u2f ]
|
||||
++ optionals config.security.pam.enableEcryptfs [ pkgs.ecryptfs ];
|
||||
|
||||
security.permissionsWrappers.setuid =
|
||||
[
|
||||
{ program = "unix_chkpwd";
|
||||
source = "${pkgs.pam}/sbin/unix_chkpwd.orig";
|
||||
owner = "root";
|
||||
group = "root";
|
||||
setuid = true;
|
||||
}
|
||||
security.setuidPrograms =
|
||||
optionals config.security.pam.enableEcryptfs [ "mount.ecryptfs_private" "umount.ecryptfs_private" ];
|
||||
|
||||
|
||||
|
||||
] ++ (optional config.security.pam.enableEcryptfs
|
||||
{ program = "umount.ecryptfs_private";
|
||||
source = "${pkgs.ecryptfs.out}/bin/umount.ecryptfs_private";
|
||||
owner = "root";
|
||||
group = "root";
|
||||
setuid = true;
|
||||
}
|
||||
) ++ (optional config.security.pam.enableEcryptfs
|
||||
{ program = "mount.ecryptfs_private";
|
||||
source = "${pkgs.ecryptfs.out}/bin/mount.ecryptfs_private";
|
||||
owner = "root";
|
||||
group = "root";
|
||||
setuid = true;
|
||||
}
|
||||
);
|
||||
|
||||
security.wrappers.unix_chkpwd = {
|
||||
source = "${pkgs.pam}/sbin/unix_chkpwd.orig";
|
||||
owner = "root";
|
||||
setuid = true;
|
||||
};
|
||||
|
||||
environment.etc =
|
||||
mapAttrsToList (n: v: makePAMService v) config.security.pam.services;
|
||||
|
@ -33,22 +33,7 @@ in
|
||||
config = mkIf (cfg.enable || anyUsbAuth) {
|
||||
|
||||
# Make sure pmount and pumount are setuid wrapped.
|
||||
security.permissionsWrappers.setuid =
|
||||
[
|
||||
{ program = "pmount";
|
||||
source = "${pkgs.pmount.out}/bin/pmount";
|
||||
owner = "root";
|
||||
group = "root";
|
||||
setuid = true;
|
||||
}
|
||||
|
||||
{ program = "pumount";
|
||||
source = "${pkgs.pmount.out}/bin/pumount";
|
||||
owner = "root";
|
||||
group = "root";
|
||||
setuid = true;
|
||||
}
|
||||
];
|
||||
security.setuidPrograms = [ "pmount" "pumount" ];
|
||||
|
||||
environment.systemPackages = [ pkgs.pmount ];
|
||||
|
||||
|
@ -1,191 +0,0 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
let
|
||||
|
||||
inherit (config.security) run-permissionsWrapperDir permissionsWrapperDir;
|
||||
|
||||
isNotNull = v: if v != null then true else false;
|
||||
|
||||
cfg = config.security.permissionsWrappers;
|
||||
|
||||
setcapWrappers = import ./setcap-wrapper-drv.nix {
|
||||
inherit config lib pkgs;
|
||||
};
|
||||
|
||||
setuidWrappers = import ./setuid-wrapper-drv.nix {
|
||||
inherit config lib pkgs;
|
||||
};
|
||||
|
||||
###### Activation script for the setcap wrappers
|
||||
configureSetcapWrapper =
|
||||
{ program
|
||||
, capabilities
|
||||
, source ? null
|
||||
, owner ? "nobody"
|
||||
, group ? "nogroup"
|
||||
}: ''
|
||||
cp ${setcapWrappers}/bin/${program}.wrapper $permissionsWrapperDir/${program}
|
||||
|
||||
# Prevent races
|
||||
chmod 0000 $permissionsWrapperDir/${program}
|
||||
chown ${owner}.${group} $permissionsWrapperDir/${program}
|
||||
|
||||
# Set desired capabilities on the file plus cap_setpcap so
|
||||
# the wrapper program can elevate the capabilities set on
|
||||
# its file into the Ambient set.
|
||||
#
|
||||
# Only set the capabilities though if we're being told to
|
||||
# do so.
|
||||
${pkgs.libcap.out}/bin/setcap "cap_setpcap,${capabilities}" $permissionsWrapperDir/${program}
|
||||
|
||||
# Set the executable bit
|
||||
chmod u+rx,g+x,o+x $permissionsWrapperDir/${program}
|
||||
'';
|
||||
|
||||
###### Activation script for the setuid wrappers
|
||||
configureSetuidWrapper =
|
||||
{ program
|
||||
, source ? null
|
||||
, owner ? "nobody"
|
||||
, group ? "nogroup"
|
||||
, setuid ? false
|
||||
, setgid ? false
|
||||
, permissions ? "u+rx,g+x,o+x"
|
||||
}: ''
|
||||
cp ${setuidWrappers}/bin/${program}.wrapper $permissionsWrapperDir/${program}
|
||||
|
||||
# Prevent races
|
||||
chmod 0000 $permissionsWrapperDir/${program}
|
||||
chown ${owner}.${group} $permissionsWrapperDir/${program}
|
||||
|
||||
chmod "u${if setuid then "+" else "-"}s,g${if setgid then "+" else "-"}s,${permissions}" $permissionsWrapperDir/${program}
|
||||
'';
|
||||
in
|
||||
{
|
||||
|
||||
###### interface
|
||||
|
||||
options = {
|
||||
security.permissionsWrappers.setcap = lib.mkOption {
|
||||
type = lib.types.listOf lib.types.attrs;
|
||||
default = [];
|
||||
example =
|
||||
[ { program = "ping";
|
||||
source = "${pkgs.iputils.out}/bin/ping";
|
||||
owner = "nobody";
|
||||
group = "nogroup";
|
||||
capabilities = "cap_net_raw+ep";
|
||||
}
|
||||
];
|
||||
description = ''
|
||||
This option sets capabilities on a wrapper program that
|
||||
propagates those capabilities down to the wrapped, real
|
||||
program.
|
||||
|
||||
The `program` attribute is the name of the program to be
|
||||
wrapped. If no `source` attribute is provided, specifying the
|
||||
absolute path to the program, then the program will be
|
||||
searched for in the path environment variable.
|
||||
|
||||
NOTE: cap_setpcap, which is required for the wrapper program
|
||||
to be able to raise caps into the Ambient set is NOT raised to
|
||||
the Ambient set so that the real program cannot modify its own
|
||||
capabilities!! This may be too restrictive for cases in which
|
||||
the real program needs cap_setpcap but it at least leans on
|
||||
the side security paranoid vs. too relaxed.
|
||||
'';
|
||||
};
|
||||
|
||||
security.permissionsWrappers.setuid = lib.mkOption {
|
||||
type = lib.types.listOf lib.types.attrs;
|
||||
default = [];
|
||||
example =
|
||||
[ { program = "sendmail";
|
||||
source = "/nix/store/.../bin/sendmail";
|
||||
owner = "nobody";
|
||||
group = "postdrop";
|
||||
setuid = false;
|
||||
setgid = true;
|
||||
permissions = "u+rx,g+x,o+x";
|
||||
}
|
||||
];
|
||||
description = ''
|
||||
This option allows the ownership and permissions on the setuid
|
||||
wrappers for specific programs to be overridden from the
|
||||
default (setuid root, but not setgid root).
|
||||
'';
|
||||
};
|
||||
|
||||
security.permissionsWrapperDir = lib.mkOption {
|
||||
type = lib.types.path;
|
||||
default = "/var/permissions-wrappers";
|
||||
internal = true;
|
||||
description = ''
|
||||
This option defines the path to the permissions wrappers. It
|
||||
should not be overriden.
|
||||
'';
|
||||
};
|
||||
|
||||
security.run-permissionsWrapperDir = lib.mkOption {
|
||||
type = lib.types.path;
|
||||
default = "/run/permissions-wrapper-dirs";
|
||||
internal = true;
|
||||
description = ''
|
||||
This option defines the run path to the permissions
|
||||
wrappers. It should not be overriden.
|
||||
'';
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
|
||||
###### implementation
|
||||
|
||||
config = {
|
||||
|
||||
# Make sure our setcap-wrapper dir exports to the PATH env
|
||||
# variable when initializing the shell
|
||||
environment.extraInit = ''
|
||||
# The permissions wrappers override other bin directories.
|
||||
export PATH="${permissionsWrapperDir}:$PATH"
|
||||
'';
|
||||
|
||||
system.activationScripts.wrapper-dir = ''
|
||||
mkdir -p "${permissionsWrapperDir}"
|
||||
'';
|
||||
|
||||
###### setcap activation script
|
||||
system.activationScripts.permissions-wrappers =
|
||||
lib.stringAfter [ "users" ]
|
||||
''
|
||||
# Look in the system path and in the default profile for
|
||||
# programs to be wrapped.
|
||||
PERMISSIONS_WRAPPER_PATH=${config.system.path}/bin:${config.system.path}/sbin
|
||||
|
||||
mkdir -p ${run-permissionsWrapperDir}
|
||||
permissionsWrapperDir=$(mktemp --directory --tmpdir=${run-permissionsWrapperDir} permissions-wrappers.XXXXXXXXXX)
|
||||
chmod a+rx $permissionsWrapperDir
|
||||
|
||||
${lib.concatMapStrings configureSetcapWrapper (builtins.filter isNotNull cfg.setcap)}
|
||||
${lib.concatMapStrings configureSetuidWrapper (builtins.filter isNotNull cfg.setuid)}
|
||||
|
||||
if [ -L ${permissionsWrapperDir} ]; then
|
||||
# Atomically replace the symlink
|
||||
# See https://axialcorps.com/2013/07/03/atomically-replacing-files-and-directories/
|
||||
old=$(readlink ${permissionsWrapperDir})
|
||||
ln --symbolic --force --no-dereference $permissionsWrapperDir ${permissionsWrapperDir}-tmp
|
||||
mv --no-target-directory ${permissionsWrapperDir}-tmp ${permissionsWrapperDir}
|
||||
rm --force --recursive $old
|
||||
elif [ -d ${permissionsWrapperDir} ]; then
|
||||
# Compatibility with old state, just remove the folder and symlink
|
||||
rm -f ${permissionsWrapperDir}/*
|
||||
# if it happens to be a tmpfs
|
||||
${pkgs.utillinux}/bin/umount ${permissionsWrapperDir} || true
|
||||
rm -d ${permissionsWrapperDir}
|
||||
ln -d --symbolic $permissionsWrapperDir ${permissionsWrapperDir}
|
||||
else
|
||||
# For initial setup
|
||||
ln --symbolic $permissionsWrapperDir ${permissionsWrapperDir}
|
||||
fi
|
||||
'';
|
||||
};
|
||||
}
|
@ -83,22 +83,8 @@ in
|
||||
|
||||
security.pam.services.polkit-1 = {};
|
||||
|
||||
security.permissionsWrappers.setuid =
|
||||
[
|
||||
{ program = "pkexec";
|
||||
source = "${pkgs.polkit.out}/bin/pkexec";
|
||||
owner = "root";
|
||||
group = "root";
|
||||
setuid = true;
|
||||
}
|
||||
|
||||
{ program = "polkit-agent-helper-1";
|
||||
owner = "root";
|
||||
group = "root";
|
||||
setuid = true;
|
||||
source = "${pkgs.polkit.out}/lib/polkit-1/polkit-agent-helper-1";
|
||||
}
|
||||
];
|
||||
security.setuidPrograms = [ "pkexec" ];
|
||||
security.wrappers."polkit-agent-helper-1".source = "${pkgs.polkit.out}/lib/polkit-1/polkit-agent-helper-1";
|
||||
|
||||
system.activationScripts.polkit =
|
||||
''
|
||||
|
@ -81,22 +81,7 @@ in
|
||||
${cfg.extraConfig}
|
||||
'';
|
||||
|
||||
security.permissionsWrappers.setuid =
|
||||
[
|
||||
{ program = "sudo";
|
||||
source = "${pkgs.sudo.out}/bin/sudo";
|
||||
owner = "root";
|
||||
group = "root";
|
||||
setuid = true;
|
||||
}
|
||||
|
||||
{ program = "sudoedit";
|
||||
source = "${pkgs.sudo.out}/bin/sudoedit";
|
||||
owner = "root";
|
||||
group = "root";
|
||||
setuid = true;
|
||||
}
|
||||
];
|
||||
security.setuidPrograms = [ "sudo" "sudoedit" ];
|
||||
|
||||
environment.systemPackages = [ sudo ];
|
||||
|
||||
|
191
nixos/modules/security/wrappers/default.nix
Normal file
191
nixos/modules/security/wrappers/default.nix
Normal file
@ -0,0 +1,191 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
let
|
||||
|
||||
inherit (config.security) wrapperDir;
|
||||
|
||||
isNotNull = v: if v != null || v != "" then true else false;
|
||||
|
||||
cfg = config.security.wrappers;
|
||||
|
||||
setcapWrappers = import ./setcap-wrapper-drv.nix {
|
||||
inherit config lib pkgs;
|
||||
};
|
||||
|
||||
setuidWrappers = import ./setuid-wrapper-drv.nix {
|
||||
inherit config lib pkgs;
|
||||
};
|
||||
|
||||
###### Activation script for the setcap wrappers
|
||||
mkSetcapProgram =
|
||||
{ program
|
||||
, capabilities
|
||||
, source ? null
|
||||
, owner ? "nobody"
|
||||
, group ? "nogroup"
|
||||
...
|
||||
}: ''
|
||||
cp ${setcapWrappers}/bin/${program}.wrapper $wrapperDir/${program}
|
||||
|
||||
# Prevent races
|
||||
chmod 0000 $wrapperDir/${program}
|
||||
chown ${owner}.${group} $wrapperDir/${program}
|
||||
|
||||
# Set desired capabilities on the file plus cap_setpcap so
|
||||
# the wrapper program can elevate the capabilities set on
|
||||
# its file into the Ambient set.
|
||||
#
|
||||
# Only set the capabilities though if we're being told to
|
||||
# do so.
|
||||
${pkgs.libcap.out}/bin/setcap "cap_setpcap,${capabilities}" $wrapperDir/${program}
|
||||
|
||||
# Set the executable bit
|
||||
chmod u+rx,g+x,o+x $wrapperDir/${program}
|
||||
'';
|
||||
|
||||
###### Activation script for the setuid wrappers
|
||||
mkSetuidProgram =
|
||||
{ program
|
||||
, source ? null
|
||||
, owner ? "nobody"
|
||||
, group ? "nogroup"
|
||||
, setuid ? false
|
||||
, setgid ? false
|
||||
, permissions ? "u+rx,g+x,o+x"
|
||||
...
|
||||
}: ''
|
||||
cp ${setuidWrappers}/bin/${program}.wrapper $wrapperDir/${program}
|
||||
|
||||
# Prevent races
|
||||
chmod 0000 $wrapperDir/${program}
|
||||
chown ${owner}.${group} $wrapperDir/${program}
|
||||
|
||||
chmod "u${if setuid then "+" else "-"}s,g${if setgid then "+" else "-"}s,${permissions}" $wrapperDir/${program}
|
||||
'';
|
||||
in
|
||||
{
|
||||
|
||||
###### interface
|
||||
|
||||
options = {
|
||||
security.wrappers.setcap = lib.mkOption {
|
||||
type = lib.types.listOf lib.types.attrs;
|
||||
default = [];
|
||||
example =
|
||||
[ { program = "ping";
|
||||
source = "${pkgs.iputils.out}/bin/ping";
|
||||
owner = "nobody";
|
||||
group = "nogroup";
|
||||
capabilities = "cap_net_raw+ep";
|
||||
}
|
||||
];
|
||||
description = ''
|
||||
This option sets capabilities on a wrapper program that
|
||||
propagates those capabilities down to the wrapped, real
|
||||
program.
|
||||
|
||||
The <literal>program</literal> attribute is the name of the
|
||||
program to be wrapped. If no <literal>source</literal>
|
||||
attribute is provided, specifying the absolute path to the
|
||||
program, then the program will be searched for in the path
|
||||
environment variable.
|
||||
|
||||
NOTE: cap_setpcap, which is required for the wrapper program
|
||||
to be able to raise caps into the Ambient set is NOT raised to
|
||||
the Ambient set so that the real program cannot modify its own
|
||||
capabilities!! This may be too restrictive for cases in which
|
||||
the real program needs cap_setpcap but it at least leans on
|
||||
the side security paranoid vs. too relaxed.
|
||||
'';
|
||||
};
|
||||
|
||||
security.setuidPrograms = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [];
|
||||
example = ["passwd"];
|
||||
description = ''
|
||||
The Nix store cannot contain setuid/setgid programs directly.
|
||||
For this reason, NixOS can automatically generate wrapper
|
||||
programs that have the necessary privileges. This option
|
||||
lists the names of programs in the system environment for
|
||||
which setuid root wrappers should be created.
|
||||
'';
|
||||
};
|
||||
|
||||
security.wrappers = lib.mkOption {
|
||||
type = lib.types.attrs;
|
||||
default = {};
|
||||
example = {
|
||||
sendmail.source = "/nix/store/.../bin/sendmail";
|
||||
};
|
||||
description = ''
|
||||
This option allows the ownership and permissions on the setuid
|
||||
wrappers for specific programs to be overridden from the
|
||||
default (setuid root, but not setgid root).
|
||||
'';
|
||||
};
|
||||
|
||||
security.old-wrapperDir = lib.mkOption {
|
||||
type = lib.types.path;
|
||||
default = "/var/setuid-wrappers";
|
||||
internal = true;
|
||||
description = ''
|
||||
This option defines the path to the wrapper programs. It
|
||||
should not be overriden.
|
||||
'';
|
||||
};
|
||||
|
||||
security.wrapperDir = lib.mkOption {
|
||||
type = lib.types.path;
|
||||
default = "/run/wrappers";
|
||||
internal = true;
|
||||
description = ''
|
||||
This option defines the path to the wrapper programs. It
|
||||
should not be overriden.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
###### implementation
|
||||
config = {
|
||||
# Make sure our setcap-wrapper dir exports to the PATH env
|
||||
# variable when initializing the shell
|
||||
environment.extraInit = ''
|
||||
# The permissions wrappers override other bin directories.
|
||||
export PATH="${wrapperDir}:$PATH"
|
||||
'';
|
||||
|
||||
###### setcap activation script
|
||||
system.activationScripts.wrappers =
|
||||
let
|
||||
programs =
|
||||
(map (x: { program = x; owner = "root"; group = "root"; setuid = true; })
|
||||
config.security.setuidPrograms)
|
||||
++ lib.mapAttrsToList
|
||||
(n: v: (if v ? "program" then v else v // {program=n;}))
|
||||
cfg.wrappers;
|
||||
|
||||
wrapperPrograms =
|
||||
builtins.map
|
||||
(s: if (s ? "setuid" && s.setuid == true) ||
|
||||
(s ? "setguid" && s.setguid == true) ||
|
||||
(s ? "permissions")
|
||||
then mkSetuidProgram s
|
||||
else if (s ? "capabilities")
|
||||
then mkSetcapProgram s
|
||||
else ""
|
||||
) programs;
|
||||
|
||||
in lib.stringAfter [ "users" ]
|
||||
''
|
||||
# Look in the system path and in the default profile for
|
||||
# programs to be wrapped.
|
||||
WRAPPER_PATH=${config.system.path}/bin:${config.system.path}/sbin
|
||||
|
||||
mkdir -p ${wrapperDir}
|
||||
wrapperDir=$(mktemp --directory --tmpdir=${wrapperDir} wrappers.XXXXXXXXXX)
|
||||
chmod a+rx $wrapperDir
|
||||
|
||||
${lib.concatStringsSep "\n" (builtins.filter isNotNull cfg.wrappers)}
|
||||
'';
|
||||
};
|
||||
}
|
@ -1,7 +1,7 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
let
|
||||
cfg = config.security.permissionsWrappers;
|
||||
cfg = config.security.wrappers;
|
||||
|
||||
# Produce a shell-code splice intended to be stitched into one of
|
||||
# the build or install phases within the derivation.
|
||||
@ -12,7 +12,7 @@ let
|
||||
source=/nix/var/nix/profiles/default/bin/${program}
|
||||
fi
|
||||
|
||||
gcc -Wall -O2 -DWRAPPER_SETCAP=1 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${config.security.run-permissionsWrapperDir}\" \
|
||||
gcc -Wall -O2 -DWRAPPER_SETCAP=1 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${config.security.run-wrapperDir}\" \
|
||||
-lcap-ng -lcap ${./permissions-wrapper.c} -o $out/bin/${program}.wrapper -L ${pkgs.libcap.lib}/lib -L ${pkgs.libcap_ng}/lib \
|
||||
-I ${pkgs.libcap.dev}/include -I ${pkgs.libcap_ng}/include -I ${pkgs.linuxHeaders}/include
|
||||
'';
|
@ -1,18 +1,18 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
let
|
||||
cfg = config.security.permissionsWrappers;
|
||||
cfg = config.security.wrappers;
|
||||
|
||||
# Produce a shell-code splice intended to be stitched into one of
|
||||
# the build or install phases within the derivation.
|
||||
mkSetuidWrapper = { program, source ? null, ...}: ''
|
||||
if ! source=${if source != null then source else "$(readlink -f $(PATH=$PERMISSIONS_WRAPPER_PATH type -tP ${program}))"}; then
|
||||
# If we can't find the program, fall back to the
|
||||
# system profile.
|
||||
source=/nix/var/nix/profiles/default/bin/${program}
|
||||
if ! source=${if source != null then source else "$(readlink -f $(PATH=$WRAPPER_PATH type -tP ${program}))"}; then
|
||||
# If we can't find the program, fall back to the
|
||||
# system profile.
|
||||
source=/nix/var/nix/profiles/default/bin/${program}
|
||||
fi
|
||||
|
||||
gcc -Wall -O2 -DWRAPPER_SETUID=1 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${config.security.run-permissionsWrapperDir}\" \
|
||||
gcc -Wall -O2 -DWRAPPER_SETUID=1 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${config.security.run-wrapperDir}\" \
|
||||
-lcap-ng -lcap ${./permissions-wrapper.c} -o $out/bin/${program}.wrapper -L ${pkgs.libcap.lib}/lib -L ${pkgs.libcap_ng}/lib \
|
||||
-I ${pkgs.libcap.dev}/include -I ${pkgs.libcap_ng}/include -I ${pkgs.linuxHeaders}/include
|
||||
'';
|
@ -29,8 +29,8 @@ let
|
||||
};
|
||||
|
||||
cronJob = ''
|
||||
@reboot logcheck env PATH=/var/permissions-wrappers:$PATH nice -n10 ${pkgs.logcheck}/sbin/logcheck -R ${flags}
|
||||
2 ${cfg.timeOfDay} * * * logcheck env PATH=/var/permissions-wrappers:$PATH nice -n10 ${pkgs.logcheck}/sbin/logcheck ${flags}
|
||||
@reboot logcheck env PATH=/run/wrappers:$PATH nice -n10 ${pkgs.logcheck}/sbin/logcheck -R ${flags}
|
||||
2 ${cfg.timeOfDay} * * * logcheck env PATH=/run/wrappers:$PATH nice -n10 ${pkgs.logcheck}/sbin/logcheck ${flags}
|
||||
'';
|
||||
|
||||
writeIgnoreRule = name: {level, regex, ...}:
|
||||
|
@ -13,7 +13,7 @@ let
|
||||
''
|
||||
base_dir = ${baseDir}
|
||||
protocols = ${concatStringsSep " " cfg.protocols}
|
||||
sendmail_path = /var/permissions-wrappers/sendmail
|
||||
sendmail_path = /run/wrappers/sendmail
|
||||
''
|
||||
|
||||
(if isNull cfg.sslServerCert then ''
|
||||
|
@ -70,7 +70,7 @@ in
|
||||
etc."exim.conf".text = ''
|
||||
exim_user = ${cfg.user}
|
||||
exim_group = ${cfg.group}
|
||||
exim_path = /var/permissions-wrappers/exim
|
||||
exim_path = /run/wrappers/exim
|
||||
spool_directory = ${cfg.spoolDir}
|
||||
${cfg.config}
|
||||
'';
|
||||
@ -89,15 +89,7 @@ in
|
||||
gid = config.ids.gids.exim;
|
||||
};
|
||||
|
||||
security.permissionsWrappers.setuid =
|
||||
[
|
||||
{ program = "exim";
|
||||
source = "${pkgs.exim.out}/bin/exim";
|
||||
owner = "root";
|
||||
group = "root";
|
||||
setuid = true;
|
||||
}
|
||||
];
|
||||
security.setuidPrograms = [ "exim" ];
|
||||
|
||||
systemd.services.exim = {
|
||||
description = "Exim Mail Daemon";
|
||||
|
@ -26,7 +26,7 @@ with lib;
|
||||
|
||||
config = mkIf (config.services.mail.sendmailSetuidWrapper != null) {
|
||||
|
||||
security.permissionsWrappers.setuid = [ config.services.mail.sendmailSetuidWrapper ];
|
||||
security.wrappers.setuid = [ config.services.mail.sendmailSetuidWrapper ];
|
||||
|
||||
};
|
||||
|
||||
|
@ -34,7 +34,7 @@ let
|
||||
cap=$(sed -nr 's/.*#%#\s+capabilities\s*=\s*(.+)/\1/p' $file)
|
||||
|
||||
wrapProgram $file \
|
||||
--set PATH "/var/permissions-wrappers:/run/current-system/sw/bin:/run/current-system/sw/bin" \
|
||||
--set PATH "/run/wrappers:/run/current-system/sw/bin:/run/current-system/sw/bin" \
|
||||
--set MUNIN_LIBDIR "${pkgs.munin}/lib" \
|
||||
--set MUNIN_PLUGSTATE "/var/run/munin"
|
||||
|
||||
@ -183,7 +183,7 @@ in
|
||||
|
||||
mkdir -p /etc/munin/plugins
|
||||
rm -rf /etc/munin/plugins/*
|
||||
PATH="/var/permissions-wrappers:/run/current-system/sw/bin:/run/current-system/sw/bin" ${pkgs.munin}/sbin/munin-node-configure --shell --families contrib,auto,manual --config ${nodeConf} --libdir=${muninPlugins} --servicedir=/etc/munin/plugins 2>/dev/null | ${pkgs.bash}/bin/bash
|
||||
PATH="/run/wrappers:/run/current-system/sw/bin:/run/current-system/sw/bin" ${pkgs.munin}/sbin/munin-node-configure --shell --families contrib,auto,manual --config ${nodeConf} --libdir=${muninPlugins} --servicedir=/etc/munin/plugins 2>/dev/null | ${pkgs.bash}/bin/bash
|
||||
'';
|
||||
serviceConfig = {
|
||||
ExecStart = "${pkgs.munin}/sbin/munin-node --config ${nodeConf} --servicedir /etc/munin/plugins/";
|
||||
|
@ -124,7 +124,7 @@ in
|
||||
};
|
||||
|
||||
mailer = mkOption {
|
||||
default = "/var/permissions-wrappers/sendmail";
|
||||
default = "/run/wrappers/sendmail";
|
||||
type = types.path;
|
||||
description = ''
|
||||
Sendmail-compatible binary to be used to send the messages.
|
||||
|
@ -30,7 +30,7 @@ let
|
||||
''
|
||||
[ global ]
|
||||
security = ${cfg.securityType}
|
||||
passwd program = /var/permissions-wrappers/passwd %u
|
||||
passwd program = /run/wrappers/passwd %u
|
||||
pam password change = ${smbToString cfg.syncPasswordsByPam}
|
||||
invalid users = ${smbToString cfg.invalidUsers}
|
||||
|
||||
|
@ -141,7 +141,7 @@ in
|
||||
setgid = false;
|
||||
};
|
||||
|
||||
security.permissionsWrappers.setuid = [ cfg.setuidWrapper ];
|
||||
security.wrappers.setuid = [ cfg.setuidWrapper ];
|
||||
|
||||
systemd.services.gale-galed = {
|
||||
description = "Gale messaging daemon";
|
||||
|
@ -18,7 +18,7 @@ let
|
||||
var_prefix = "${stateDir}"
|
||||
prayer_user = "${prayerUser}"
|
||||
prayer_group = "${prayerGroup}"
|
||||
sendmail_path = "/var/permissions-wrappers/sendmail"
|
||||
sendmail_path = "/run/wrappers/sendmail"
|
||||
|
||||
use_http_port ${cfg.port}
|
||||
|
||||
|
@ -219,14 +219,14 @@ in
|
||||
type = types.string;
|
||||
default = ''
|
||||
+ FPing
|
||||
binary = ${config.security.permissionsWrapperDir}/fping
|
||||
binary = ${config.security.wrapperDir}/fping
|
||||
'';
|
||||
description = "Probe configuration";
|
||||
};
|
||||
sendmail = mkOption {
|
||||
type = types.nullOr types.path;
|
||||
default = null;
|
||||
example = "/var/permissions-wrappers/sendmail";
|
||||
example = "/run/wrappers/sendmail";
|
||||
description = "Use this sendmail compatible script to deliver alerts";
|
||||
};
|
||||
smokeMailTemplate = mkOption {
|
||||
@ -273,21 +273,7 @@ in
|
||||
message = "services.smokeping: sendmail and Mailhost cannot both be enabled.";
|
||||
}
|
||||
];
|
||||
security.permissionsWrappers.setuid = [
|
||||
{ program = "fping";
|
||||
source = "${pkgs.fping}/bin/fping";
|
||||
owner = "root";
|
||||
group = "root";
|
||||
setuid = true;
|
||||
}
|
||||
|
||||
{ program = "fping";
|
||||
source = "${pkgs.fping}/bin/fping6";
|
||||
owner = "root";
|
||||
group = "root";
|
||||
setuid = true;
|
||||
}
|
||||
];
|
||||
security.setuidPrograms = [ "fping" "fping6" ];
|
||||
environment.systemPackages = [ pkgs.fping ];
|
||||
users.extraUsers = singleton {
|
||||
name = cfg.user;
|
||||
|
@ -42,7 +42,7 @@ in
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
|
||||
security.permissionsWrappers.setuid = map (program: {
|
||||
security.wrappers.setuid = map (program: {
|
||||
inherit program;
|
||||
|
||||
source = "${pkgs.atd}/bin/${program}";
|
||||
|
@ -20,7 +20,7 @@ let
|
||||
cronNixosPkg = pkgs.cron.override {
|
||||
# The mail.nix nixos module, if there is any local mail system enabled,
|
||||
# should have sendmail in this path.
|
||||
sendmailPath = "/var/permissions-wrappers/sendmail";
|
||||
sendmailPath = "/run/wrappers/sendmail";
|
||||
};
|
||||
|
||||
allFiles =
|
||||
@ -61,7 +61,7 @@ in
|
||||
A list of Cron jobs to be appended to the system-wide
|
||||
crontab. See the manual page for crontab for the expected
|
||||
format. If you want to get the results mailed you must setuid
|
||||
sendmail. See <option>security.permissionsWrappers.setuid</option>
|
||||
sendmail. See <option>security.wrappers.setuid</option>
|
||||
|
||||
If neither /var/cron/cron.deny nor /var/cron/cron.allow exist only root
|
||||
will is allowed to have its own crontab file. The /var/cron/cron.deny file
|
||||
@ -92,21 +92,9 @@ in
|
||||
config = mkMerge [
|
||||
|
||||
{ services.cron.enable = mkDefault (allFiles != []); }
|
||||
|
||||
(mkIf (config.services.cron.enable) {
|
||||
|
||||
security.permissionsWrappers.setuid =
|
||||
[
|
||||
{ program = "crontab";
|
||||
source = "${pkgs.cronNixosPkg.out}/bin/crontab";
|
||||
owner = "root";
|
||||
group = "root";
|
||||
setuid = true;
|
||||
}
|
||||
];
|
||||
|
||||
security.setuidPrograms = [ "crontab" ];
|
||||
environment.systemPackages = [ cronNixosPkg ];
|
||||
|
||||
environment.etc.crontab =
|
||||
{ source = pkgs.runCommand "crontabs" { inherit allFiles; preferLocalBuild = true; }
|
||||
''
|
||||
|
@ -96,7 +96,7 @@ in
|
||||
fcronallow = /etc/fcron.allow
|
||||
fcrondeny = /etc/fcron.deny
|
||||
shell = /bin/sh
|
||||
sendmail = /var/permissions-wrappers/sendmail
|
||||
sendmail = /run/wrappers/sendmail
|
||||
editor = /run/current-system/sw/bin/vi
|
||||
'';
|
||||
target = "fcron.conf";
|
||||
@ -106,16 +106,7 @@ in
|
||||
|
||||
environment.systemPackages = [ pkgs.fcron ];
|
||||
|
||||
security.permissionsWrappers.setuid =
|
||||
[
|
||||
{ program = "fcrontab";
|
||||
source = "${pkgs.fcron.out}/bin/fcrontab";
|
||||
owner = "root";
|
||||
group = "root";
|
||||
setuid = true;
|
||||
}
|
||||
];
|
||||
|
||||
security.setuidPrograms = [ "fcrontab" ];
|
||||
systemd.services.fcron = {
|
||||
description = "fcron daemon";
|
||||
after = [ "local-fs.target" ];
|
||||
|
@ -38,7 +38,7 @@ let
|
||||
sed -ri "s@/etc/dbus-1/(system|session)-@$out/\1-@" $out/{system,session}.conf
|
||||
|
||||
sed '${./dbus-system-local.conf.in}' \
|
||||
-e 's,@servicehelper@,${config.security.permissionsWrapperDir}/dbus-daemon-launch-helper,g' \
|
||||
-e 's,@servicehelper@,${config.security.wrapperDir}/dbus-daemon-launch-helper,g' \
|
||||
-e 's,@extra@,${systemExtraxml},' \
|
||||
> "$out/system-local.conf"
|
||||
|
||||
@ -114,7 +114,7 @@ in
|
||||
|
||||
systemd.packages = [ pkgs.dbus.daemon ];
|
||||
|
||||
security.permissionsWrappers.setuid = singleton
|
||||
security.wrappers.setuid = singleton
|
||||
{ program = "dbus-daemon-launch-helper";
|
||||
source = "${pkgs.dbus.daemon}/libexec/dbus-daemon-launch-helper";
|
||||
owner = "root";
|
||||
|
@ -62,16 +62,7 @@ in
|
||||
'';
|
||||
}];
|
||||
|
||||
security.permissionsWrappers.setuid =
|
||||
[
|
||||
{ program = "e_freqset";
|
||||
source = "${e.enlightenment.out}/bin/e_freqset";
|
||||
owner = "root";
|
||||
group = "root";
|
||||
setuid = true;
|
||||
}
|
||||
];
|
||||
|
||||
security.setuidPrograms = [ "e_freqset" ];
|
||||
environment.etc = singleton
|
||||
{ source = "${pkgs.xkeyboard_config}/etc/X11/xkb";
|
||||
target = "X11/xkb";
|
||||
|
@ -131,7 +131,7 @@ in
|
||||
'';
|
||||
};
|
||||
|
||||
security.permissionsWrappers.setuid = singleton
|
||||
security.wrappers.setuid = singleton
|
||||
{ program = "kcheckpass";
|
||||
source = "${kde_workspace}/lib/kde4/libexec/kcheckpass";
|
||||
owner = "root";
|
||||
|
@ -68,7 +68,7 @@ in
|
||||
'';
|
||||
};
|
||||
|
||||
security.permissionsWrappers.setuid = [
|
||||
security.wrappers.setuid = [
|
||||
{
|
||||
program = "kcheckpass";
|
||||
source = "${kde5.plasma-workspace.out}/lib/libexec/kcheckpass";
|
||||
|
@ -131,10 +131,10 @@ if [ -n "@useHostResolvConf@" -a -e /etc/resolv.conf ]; then
|
||||
cat /etc/resolv.conf | resolvconf -m 1000 -a host
|
||||
fi
|
||||
|
||||
# Create /var/permissions-wrappers as a tmpfs.
|
||||
rm -rf /var/permissions-wrappers
|
||||
mkdir -m 0755 -p /var/permissions-wrappers
|
||||
mount -t tmpfs -o "mode=0755" tmpfs /var/permissions-wrappers
|
||||
# Create /run/wrappers as a tmpfs.
|
||||
rm -rf /run/wrappers
|
||||
mkdir -m 0755 -p /run/wrappers
|
||||
mount -t tmpfs -o "mode=0755" tmpfs /run/wrappers
|
||||
|
||||
# Log the script output to /dev/kmsg or /run/log/stage-2-init.log.
|
||||
# Only at this point are all the necessary prerequisites ready for these commands.
|
||||
|
@ -898,38 +898,23 @@ in
|
||||
|
||||
# Capabilities won't work unless we have at-least a 4.3 Linux
|
||||
# kernel because we need the ambient capability
|
||||
security.permissionsWrappers.setcap = mkIf (versionAtLeast (getVersion config.boot.kernelPackages.kernel) "4.3") (
|
||||
[
|
||||
{ program = "ping";
|
||||
source = "${pkgs.iputils.out}/bin/ping";
|
||||
capabilities = "cap_net_raw+p";
|
||||
}
|
||||
security.wrappers = mkIf (versionAtLeast (getVersion config.boot.kernelPackages.kernel) "4.3") {
|
||||
ping = {
|
||||
source = "${pkgs.iputils.out}/bin/ping";
|
||||
capabilities = "cap_net_raw+p";
|
||||
};
|
||||
|
||||
{ program = "ping6";
|
||||
source = "${pkgs.iputils.out}/bin/ping6";
|
||||
capabilities = "cap_net_raw+p";
|
||||
}
|
||||
]
|
||||
);
|
||||
ping6 = {
|
||||
source = "${pkgs.iputils.out}/bin/ping6";
|
||||
capabilities = "cap_net_raw+p";
|
||||
};
|
||||
};
|
||||
|
||||
# If our linux kernel IS older than 4.3, let's setuid ping and ping6
|
||||
security.permissionsWrappers.setuid = mkIf (versionOlder (getVersion config.boot.kernelPackages.kernel) "4.3") (
|
||||
[
|
||||
{ program = "ping";
|
||||
source = "${pkgs.iputils.out}/bin/ping";
|
||||
owner = "root";
|
||||
group = "root";
|
||||
setuid = true;
|
||||
}
|
||||
|
||||
{ program = "ping6";
|
||||
source = "${pkgs.iputils.out}/bin/ping6";
|
||||
owner = "root";
|
||||
group = "root";
|
||||
setuid = true;
|
||||
}
|
||||
]
|
||||
);
|
||||
# If the linux kernel IS older than 4.3, create setuid wrappers
|
||||
# for ping and ping6
|
||||
security.setuidPrograms = mkIf (versionOlder (getVersion config.boot.kernelPackages.kernel) "4.3") [
|
||||
"ping" "ping6"
|
||||
];
|
||||
|
||||
# Set the host and domain names in the activation script. Don't
|
||||
# clear it if it's not configured in the NixOS configuration,
|
||||
|
@ -68,7 +68,7 @@ in
|
||||
boot.extraModulePackages = [ kernelModules ];
|
||||
environment.systemPackages = [ virtualbox ];
|
||||
|
||||
security.permissionsWrappers.setuid = let
|
||||
security.wrappers.setuid = let
|
||||
mkSuid = program: {
|
||||
inherit program;
|
||||
source = "${virtualbox}/libexec/virtualbox/${program}";
|
||||
@ -99,7 +99,7 @@ in
|
||||
SUBSYSTEM=="usb", ACTION=="remove", ENV{DEVTYPE}=="usb_device", RUN+="${virtualbox}/libexec/virtualbox/VBoxCreateUSBNode.sh --remove $major $minor"
|
||||
'';
|
||||
|
||||
# Since we lack the right setuid binaries, set up a host-only network by default.
|
||||
# Since we lack the right setuid/setcap binaries, set up a host-only network by default.
|
||||
} (mkIf cfg.addNetworkInterface {
|
||||
systemd.services."vboxnet0" =
|
||||
{ description = "VirtualBox vboxnet0 Interface";
|
||||
|
@ -14,7 +14,7 @@ import ./make-test.nix ({ pkgs, ...} : {
|
||||
mailHost = "127.0.0.2";
|
||||
probeConfig = ''
|
||||
+ FPing
|
||||
binary = /var/permissions-wrappers/fping
|
||||
binary = /run/wrappers/fping
|
||||
offset = 0%
|
||||
'';
|
||||
};
|
||||
|
@ -1,5 +1,5 @@
|
||||
{ fetchurl, stdenv, glib, xorg, cairo, gtk2, pango, makeWrapper, openssl, bzip2,
|
||||
pkexecPath ? "/var/permissions-wrappers/pkexec", libredirect,
|
||||
pkexecPath ? "/run/wrappers/pkexec", libredirect,
|
||||
gksuSupport ? false, gksu}:
|
||||
|
||||
assert stdenv.system == "i686-linux" || stdenv.system == "x86_64-linux";
|
||||
|
@ -83,9 +83,9 @@ in stdenv.mkDerivation {
|
||||
ed -v -s "$out/bin/chromium" << EOF
|
||||
2i
|
||||
|
||||
if [ -x "/var/permissions-wrappers/${sandboxExecutableName}" ]
|
||||
if [ -x "/run/wrappers/${sandboxExecutableName}" ]
|
||||
then
|
||||
export CHROME_DEVEL_SANDBOX="/var/permissions-wrappers/${sandboxExecutableName}"
|
||||
export CHROME_DEVEL_SANDBOX="/run/wrappers/${sandboxExecutableName}"
|
||||
else
|
||||
export CHROME_DEVEL_SANDBOX="$sandbox/bin/${sandboxExecutableName}"
|
||||
fi
|
||||
|
@ -26,7 +26,7 @@ index 50e8ad8..eec0ed2 100644
|
||||
+ is_nixos=no
|
||||
+fi
|
||||
+
|
||||
+if [ -u /var/permissions-wrappers/gksign ]; then
|
||||
+if [ -u /run/wrappers/gksign ]; then
|
||||
+ cat <<EOM
|
||||
+
|
||||
+Gale appears to have already been set up via the NixOS module system (check
|
||||
|
@ -11,7 +11,7 @@ index a9d8ac4..85f13f5 100644
|
||||
- # # arguments: '-i -t'
|
||||
- # # }
|
||||
+ config.action_mailer.sendmail_settings = {
|
||||
+ location: '/var/permissions-wrappers/sendmail',
|
||||
+ location: '/run/wrappers/sendmail',
|
||||
+ arguments: '-i -t'
|
||||
+ }
|
||||
config.action_mailer.perform_deliveries = true
|
||||
|
@ -96,7 +96,7 @@ index 95dc9a7..39170bc 100644
|
||||
/* get the path to the executable */
|
||||
char szPath[RTPATH_MAX];
|
||||
- RTPathAppPrivateArch(szPath, sizeof(szPath) - 1);
|
||||
+ RTStrCopy(szPath, sizeof(szPath) - 1, "/var/permissions-wrappers");
|
||||
+ RTStrCopy(szPath, sizeof(szPath) - 1, "/run/wrappers");
|
||||
size_t cchBufLeft = strlen(szPath);
|
||||
szPath[cchBufLeft++] = RTPATH_DELIMITER;
|
||||
szPath[cchBufLeft] = 0;
|
||||
@ -154,7 +154,7 @@ index be2ad8f..7ddf105 100644
|
||||
|
||||
+RTDECL(int) RTPathSuidDir(char *pszPath, size_t cchPath)
|
||||
+{
|
||||
+ return RTStrCopy(pszPath, cchPath, "/var/permissions-wrappers");
|
||||
+ return RTStrCopy(pszPath, cchPath, "/run/wrappers");
|
||||
+}
|
||||
+
|
||||
+
|
||||
@ -174,7 +174,7 @@ index 7bde6af..2656cae 100644
|
||||
+ * will cut off everything after the rightmost / as this function is analogous
|
||||
+ * to RTProcGetExecutablePath().
|
||||
+ */
|
||||
+#define SUIDDIR "/var/permissions-wrappers/"
|
||||
+#define SUIDDIR "/run/wrappers/"
|
||||
+
|
||||
+RTR3DECL(char *) RTProcGetSuidPath(char *pszExecPath, size_t cbExecPath)
|
||||
+{
|
||||
|
@ -51,7 +51,7 @@ let
|
||||
export PS1='${name}-chrootenv:\u@\h:\w\$ '
|
||||
export LOCALE_ARCHIVE='/usr/lib/locale/locale-archive'
|
||||
export LD_LIBRARY_PATH='/run/opengl-driver/lib:/run/opengl-driver-32/lib:/usr/lib:/usr/lib32'
|
||||
export PATH='/var/permissions-wrappers:/usr/bin:/usr/sbin'
|
||||
export PATH='/run/wrappers:/usr/bin:/usr/sbin'
|
||||
export PKG_CONFIG_PATH=/usr/lib/pkgconfig
|
||||
|
||||
# Force compilers to look in default search paths
|
||||
|
@ -42,13 +42,13 @@ stdenv.mkDerivation rec {
|
||||
# this is a hack and without this cpufreq module is not working. does the following:
|
||||
# 1. moves the "freqset" binary to "e_freqset",
|
||||
# 2. linkes "e_freqset" to enlightenment/bin so that,
|
||||
# 3. permissionsWrappers.setuid detects it and places wrappers in /var/permissions-wrappers/e_freqset,
|
||||
# 4. and finally, links /var/permissions-wrappers/e_freqset to original destination where enlightenment wants it
|
||||
# 3. wrappers.setuid detects it and places wrappers in /run/wrappers/e_freqset,
|
||||
# 4. and finally, links /run/wrappers/e_freqset to original destination where enlightenment wants it
|
||||
postInstall = ''
|
||||
export CPUFREQ_DIRPATH=`readlink -f $out/lib/enlightenment/modules/cpufreq/linux-gnu-*`;
|
||||
mv $CPUFREQ_DIRPATH/freqset $CPUFREQ_DIRPATH/e_freqset
|
||||
ln -sv $CPUFREQ_DIRPATH/e_freqset $out/bin/e_freqset
|
||||
ln -sv /var/permissions-wrappers/e_freqset $CPUFREQ_DIRPATH/freqset
|
||||
ln -sv /run/wrappers/e_freqset $CPUFREQ_DIRPATH/freqset
|
||||
'';
|
||||
|
||||
meta = with stdenv.lib; {
|
||||
|
@ -7,7 +7,7 @@ Index: kinit-5.24.0/src/start_kdeinit/start_kdeinit_wrapper.c
|
||||
#include <unistd.h>
|
||||
|
||||
-#define EXECUTE CMAKE_INSTALL_FULL_LIBEXECDIR_KF5 "/start_kdeinit"
|
||||
+#define EXECUTE "/var/permissions-wrappers/start_kdeinit"
|
||||
+#define EXECUTE "/run/wrappers/start_kdeinit"
|
||||
|
||||
#if KDEINIT_OOM_PROTECT
|
||||
|
||||
|
@ -57,8 +57,8 @@ stdenv.mkDerivation rec {
|
||||
|
||||
# Fix some binary paths
|
||||
sed -i -e 's|/usr/bin/xauth|${xauth}/bin/xauth|g' libgksu/gksu-run-helper.c libgksu/libgksu.c
|
||||
sed -i -e 's|/usr/bin/sudo|/var/permissions-wrappers/sudo|g' libgksu/libgksu.c
|
||||
sed -i -e 's|/bin/su\([^d]\)|/var/permissions-wrappers/su\1|g' libgksu/libgksu.c
|
||||
sed -i -e 's|/usr/bin/sudo|/run/wrappers/sudo|g' libgksu/libgksu.c
|
||||
sed -i -e 's|/bin/su\([^d]\)|/run/wrappers/su\1|g' libgksu/libgksu.c
|
||||
|
||||
touch NEWS README
|
||||
'';
|
||||
|
@ -5,7 +5,7 @@
|
||||
let
|
||||
|
||||
system = "/var/run/current-system/sw";
|
||||
setuid = "/var/permissions-wrappers"; #TODO: from <nixos> config.security.wrapperDir;
|
||||
setuid = "/run/wrappers"; #TODO: from <nixos> config.security.wrapperDir;
|
||||
|
||||
foolVars = {
|
||||
SYSCONF = "/etc";
|
||||
|
@ -94,7 +94,7 @@ in stdenv.mkDerivation rec {
|
||||
unitydir="$out/opt/Unity/Editor"
|
||||
mkdir -p $unitydir
|
||||
mv Editor/* $unitydir
|
||||
ln -sf /var/permissions-wrappers/${chromium.sandboxExecutableName} $unitydir/chrome-sandbox
|
||||
ln -sf /run/wrappers/${chromium.sandboxExecutableName} $unitydir/chrome-sandbox
|
||||
|
||||
mkdir -p $out/share/applications
|
||||
sed "/^Exec=/c\Exec=$out/bin/unity-editor" \
|
||||
|
@ -23,7 +23,7 @@ stdenv.mkDerivation rec {
|
||||
# Ensure that FUSE calls the setuid wrapper, not
|
||||
# $out/bin/fusermount. It falls back to calling fusermount in
|
||||
# $PATH, so it should also work on non-NixOS systems.
|
||||
export NIX_CFLAGS_COMPILE="-DFUSERMOUNT_DIR=\"/var/permissions-wrappers\""
|
||||
export NIX_CFLAGS_COMPILE="-DFUSERMOUNT_DIR=\"/run/wrappers\""
|
||||
|
||||
sed -e 's@/bin/@${utillinux}/bin/@g' -i lib/mount_util.c
|
||||
sed -e 's@CONFIG_RPATH=/usr/share/gettext/config.rpath@CONFIG_RPATH=${gettext}/share/gettext/config.rpath@' -i makeconf.sh
|
||||
|
@ -31,7 +31,7 @@ stdenv.mkDerivation rec {
|
||||
preConfigure = ''
|
||||
sed -e 's@/lib/udev@''${out}/lib/udev@' \
|
||||
-e 's@ -Werror @ @' \
|
||||
-e 's@/usr/sbin/sendmail@/var/permissions-wrappers/sendmail@' -i Makefile
|
||||
-e 's@/usr/sbin/sendmail@/run/wrappers/sendmail@' -i Makefile
|
||||
'';
|
||||
|
||||
meta = {
|
||||
|
@ -31,7 +31,7 @@ stdenv.mkDerivation rec {
|
||||
preConfigure = ''
|
||||
sed -e 's@/lib/udev@''${out}/lib/udev@' \
|
||||
-e 's@ -Werror @ @' \
|
||||
-e 's@/usr/sbin/sendmail@/var/permissions-wrappers/sendmail@' -i Makefile
|
||||
-e 's@/usr/sbin/sendmail@/run/wrappers/sendmail@' -i Makefile
|
||||
'';
|
||||
|
||||
meta = {
|
||||
|
@ -34,7 +34,7 @@ stdenv.mkDerivation rec {
|
||||
|
||||
postInstall = ''
|
||||
mv -v $out/sbin/unix_chkpwd{,.orig}
|
||||
ln -sv /var/permissions-wrappers/unix_chkpwd $out/sbin/unix_chkpwd
|
||||
ln -sv /run/wrappers/unix_chkpwd $out/sbin/unix_chkpwd
|
||||
''; /*
|
||||
rm -rf $out/etc
|
||||
mkdir -p $modules/lib
|
||||
|
@ -36,7 +36,7 @@ stdenv.mkDerivation rec {
|
||||
--enable-last
|
||||
--enable-mesg
|
||||
--disable-use-tty-group
|
||||
--enable-fs-paths-default=/var/permissions-wrappers:/var/run/current-system/sw/bin:/sbin
|
||||
--enable-fs-paths-default=/run/wrappers:/var/run/current-system/sw/bin:/sbin
|
||||
${if ncurses == null then "--without-ncurses" else ""}
|
||||
${if systemd == null then "" else ''
|
||||
--with-systemd
|
||||
|
@ -30,7 +30,7 @@ buildGoPackage rec {
|
||||
-e 's|/bin/chown|${coreutils}/bin/chown|' \
|
||||
-e 's|/bin/date|${coreutils}/bin/date|' \
|
||||
-e 's|/sbin/poweroff|${systemd}/sbin/poweroff|' \
|
||||
-e 's|/usr/bin/sudo|/var/permissions-wrappers/sudo|' \
|
||||
-e 's|/usr/bin/sudo|/run/wrappers/sudo|' \
|
||||
-e 's|/sbin/cryptsetup|${cryptsetup}/bin/cryptsetup|'
|
||||
'';
|
||||
}
|
||||
|
@ -1,4 +1,4 @@
|
||||
{ stdenv, fetchurl, flex, bison, sendmailPath ? "/var/permissions-wrappers/sendmail" }:
|
||||
{ stdenv, fetchurl, flex, bison, sendmailPath ? "/run/wrappers/sendmail" }:
|
||||
|
||||
stdenv.mkDerivation rec {
|
||||
name = "petidomo-4.3";
|
||||
|
@ -16,8 +16,8 @@ stdenv.mkDerivation rec {
|
||||
# configured on the build machine).
|
||||
preConfigure= "
|
||||
configureFlagsArray=(
|
||||
--with-ping-command='/var/permissions-wrappers/ping -n -U -w %d -c %d %s'
|
||||
--with-ping6-command='/var/permissions-wrappers/ping6 -n -U -w %d -c %d %s'
|
||||
--with-ping-command='/run/wrappers/ping -n -U -w %d -c %d %s'
|
||||
--with-ping6-command='/run/wrappers/ping6 -n -U -w %d -c %d %s'
|
||||
)
|
||||
";
|
||||
|
||||
|
@ -20,10 +20,10 @@ stdenv.mkDerivation rec {
|
||||
configureFlags="--mandir=$out/share/man"
|
||||
|
||||
substituteInPlace x11vnc/unixpw.c \
|
||||
--replace '"/bin/su"' '"/var/permissions-wrappers/su"' \
|
||||
--replace '"/bin/su"' '"/run/wrappers/su"' \
|
||||
--replace '"/bin/true"' '"${coreutils}/bin/true"'
|
||||
|
||||
sed -i -e '/#!\/bin\/sh/a"PATH=${xorg.xdpyinfo}\/bin:${xorg.xauth}\/bin:$PATH\\n"' -e 's|/bin/su|/var/permissions-wrappers/su|g' x11vnc/ssltools.h
|
||||
sed -i -e '/#!\/bin\/sh/a"PATH=${xorg.xdpyinfo}\/bin:${xorg.xauth}\/bin:$PATH\\n"' -e 's|/bin/su|/run/wrappers/su|g' x11vnc/ssltools.h
|
||||
'';
|
||||
|
||||
meta = {
|
||||
|
@ -31,7 +31,7 @@ python2Packages.buildPythonApplication rec {
|
||||
buildInputs = [ dialog ] ++ (with python2Packages; [ nose mock gnureadline ]);
|
||||
|
||||
patchPhase = ''
|
||||
substituteInPlace certbot/notify.py --replace "/usr/sbin/sendmail" "/var/permissions-wrappers/sendmail"
|
||||
substituteInPlace certbot/notify.py --replace "/usr/sbin/sendmail" "/run/wrappers/sendmail"
|
||||
substituteInPlace certbot/util.py --replace "sw_vers" "/usr/bin/sw_vers"
|
||||
'';
|
||||
|
||||
|
@ -2,7 +2,7 @@
|
||||
, FileDesktopEntry, libxslt, docbook_xsl, makeWrapper
|
||||
, python3Packages
|
||||
, perlPackages, curl, gnupg, diffutils
|
||||
, sendmailPath ? "/var/permissions-wrappers/sendmail"
|
||||
, sendmailPath ? "/run/wrappers/sendmail"
|
||||
}:
|
||||
|
||||
let
|
||||
|
@ -11,7 +11,7 @@ stdenv.mkDerivation rec {
|
||||
};
|
||||
|
||||
# TODO: replace wrapperDir below with from <nixos> config.security.wrapperDir;
|
||||
wrapperDir = "/var/permissions-wrappers";
|
||||
wrapperDir = "/run/wrappers";
|
||||
|
||||
postPatch = ''
|
||||
FILES="$(grep -r '/bin/sh' src/utils -l; find src -name \*.c)"
|
||||
|
@ -18,7 +18,7 @@ stdenv.mkDerivation rec {
|
||||
|
||||
buildInputs = [ makeWrapper ];
|
||||
|
||||
# Do not hardcode PATH to ${ecryptfs} as we need the script to invoke executables from /var/permissions-wrappers
|
||||
# Do not hardcode PATH to ${ecryptfs} as we need the script to invoke executables from /run/wrappers
|
||||
installPhase = ''
|
||||
mkdir -p $out/bin $out/libexec
|
||||
cp $src $out/libexec/ecryptfs-helper.py
|
||||
|
@ -1,5 +1,5 @@
|
||||
{ stdenv, fetchurl, coreutils, pam, groff
|
||||
, sendmailPath ? "/var/permissions-wrappers/sendmail"
|
||||
, sendmailPath ? "/run/wrappers/sendmail"
|
||||
, withInsults ? false
|
||||
}:
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
{ fetchurl, stdenv, bison, flex, pam, sendmailPath ? "/var/permissions-wrappers/sendmail" }:
|
||||
{ fetchurl, stdenv, bison, flex, pam, sendmailPath ? "/run/wrappers/sendmail" }:
|
||||
|
||||
stdenv.mkDerivation {
|
||||
name = "at-3.1.16";
|
||||
|
@ -23,7 +23,7 @@ stdenv.mkDerivation {
|
||||
#define _PATH_SENDMAIL "${sendmailPath}"
|
||||
|
||||
#undef _PATH_DEFPATH
|
||||
#define _PATH_DEFPATH "/var/permissions-wrappers:/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/run/current-system/sw/bin:/run/current-system/sw/sbin:/usr/bin:/bin"
|
||||
#define _PATH_DEFPATH "/run/wrappers:/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/run/current-system/sw/bin:/run/current-system/sw/sbin:/usr/bin:/bin"
|
||||
__EOT__
|
||||
|
||||
# Implicit saved uids do not work here due to way NixOS uses setuid wrappers
|
||||
|
@ -1,5 +1,5 @@
|
||||
{stdenv, fetchurl,
|
||||
sendmailPath ? "/var/permissions-wrappers/sendmail" }:
|
||||
sendmailPath ? "/run/wrappers/sendmail" }:
|
||||
|
||||
stdenv.mkDerivation rec {
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user