More derp
This commit is contained in:
parent
70b8167d4a
commit
628e6a83d0
13 changed files with 38 additions and 42 deletions
|
@ -27,6 +27,6 @@ in
|
|||
|
||||
config = mkIf cfg.enable {
|
||||
environment.systemPackages = [ sandbox ];
|
||||
security.setuidPrograms = [ sandbox.passthru.sandboxExecutableName ];
|
||||
security.wrappers."${sandbox.passthru.sandboxExecutableName}".source = "${sandbox}/bin/${sandbox.passthru.sandboxExecutableName}";
|
||||
};
|
||||
}
|
||||
|
|
|
@ -188,7 +188,7 @@ in
|
|||
|
||||
environment.systemPackages = [ pkgs.duo-unix ];
|
||||
|
||||
security.setuidPrograms = [ "login_duo" ];
|
||||
security.wrappers.login_duo.source = "${pkgs.duo-unix.out}/bin/login_duo";
|
||||
environment.etc = loginCfgFile ++ pamCfgFile;
|
||||
|
||||
/* If PAM *and* SSH are enabled, then don't do anything special.
|
||||
|
|
|
@ -472,13 +472,18 @@ in
|
|||
++ optionals config.security.pam.enableU2F [ pkgs.pam_u2f ]
|
||||
++ optionals config.security.pam.enableEcryptfs [ pkgs.ecryptfs ];
|
||||
|
||||
security.setuidPrograms =
|
||||
security.wrapperssetuidPrograms =
|
||||
optionals config.security.pam.enableEcryptfs [ "mount.ecryptfs_private" "umount.ecryptfs_private" ];
|
||||
|
||||
security.wrappers.unix_chkpwd = {
|
||||
source = "${pkgs.pam}/sbin/unix_chkpwd.orig";
|
||||
owner = "root";
|
||||
setuid = true;
|
||||
security.wrappers = {
|
||||
unix_chkpwd = {
|
||||
source = "${pkgs.pam}/sbin/unix_chkpwd.orig";
|
||||
owner = "root";
|
||||
setuid = true;
|
||||
};
|
||||
} // (mkIf config.security.pam.enableEcryptfs {
|
||||
"mount.ecryptfs_private".source = "${pkgs.ecryptfs.out}/bin/mount.ecryptfs_private";
|
||||
"umount.ecryptfs_private".source = "${pkgs.ecryptfs.out}/bin/umount.ecryptfs_private";
|
||||
};
|
||||
|
||||
environment.etc =
|
||||
|
|
|
@ -33,7 +33,10 @@ in
|
|||
config = mkIf (cfg.enable || anyUsbAuth) {
|
||||
|
||||
# Make sure pmount and pumount are setuid wrapped.
|
||||
security.setuidPrograms = [ "pmount" "pumount" ];
|
||||
security.wrappers = {
|
||||
pmount.source = "${pkgs.pmount.out}/bin/pmount";
|
||||
pumount.source = "${pkgs.pmount.out}/bin/pumount";
|
||||
};
|
||||
|
||||
environment.systemPackages = [ pkgs.pmount ];
|
||||
|
||||
|
|
|
@ -83,8 +83,10 @@ in
|
|||
|
||||
security.pam.services.polkit-1 = {};
|
||||
|
||||
security.setuidPrograms = [ "pkexec" ];
|
||||
security.wrappers."polkit-agent-helper-1".source = "${pkgs.polkit.out}/lib/polkit-1/polkit-agent-helper-1";
|
||||
security.wrappers = {
|
||||
pkexec.source = "${pkgs.polkit.out}/bin/pkexec";
|
||||
"polkit-agent-helper-1".source = "${pkgs.polkit.out}/lib/polkit-1/polkit-agent-helper-1";
|
||||
};
|
||||
|
||||
system.activationScripts.polkit =
|
||||
''
|
||||
|
|
|
@ -81,7 +81,10 @@ in
|
|||
${cfg.extraConfig}
|
||||
'';
|
||||
|
||||
security.setuidPrograms = [ "sudo" "sudoedit" ];
|
||||
security.wrappers = {
|
||||
sudo.source = "${pkgs.sudo.out}/bin/sudo";
|
||||
sudoedit.source = "${pkgs.sudo.out}/bin/sudoedit";
|
||||
};
|
||||
|
||||
environment.systemPackages = [ sudo ];
|
||||
|
||||
|
|
|
@ -4,22 +4,13 @@ let
|
|||
inherit (config.security) wrapperDir wrappers setuidPrograms;
|
||||
|
||||
programs =
|
||||
(map (x: { program = x; owner = "root"; group = "root"; setuid = true; }) setuidPrograms)
|
||||
++
|
||||
(lib.mapAttrsToList
|
||||
(n: v: (if v ? "program" then v else v // {program=n;}))
|
||||
wrappers);
|
||||
|
||||
mkWrapper = { program, source ? null, ...}: ''
|
||||
if ! source=${if source != null || source != "" then source else "$(readlink -f $(PATH=$WRAPPER_PATH type -tP ${program}))"}; then
|
||||
# If we can't find the program, fall back to the
|
||||
# system profile.
|
||||
source=/nix/var/nix/profiles/default/bin/${program}
|
||||
fi
|
||||
|
||||
parentWrapperDir=$(dirname ${wrapperDir})
|
||||
|
||||
gcc -Wall -O2 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"$parentWrapperDir\" \
|
||||
gcc -Wall -O2 -DSOURCE_PROG=\"${source}\" -DWRAPPER_DIR=\"$parentWrapperDir\" \
|
||||
-lcap-ng -lcap ${./wrapper.c} -o $out/bin/${program}.wrapper -L ${pkgs.libcap.lib}/lib -L ${pkgs.libcap_ng}/lib \
|
||||
-I ${pkgs.libcap.dev}/include -I ${pkgs.libcap_ng}/include -I ${pkgs.linuxHeaders}/include
|
||||
'';
|
||||
|
@ -96,19 +87,6 @@ in
|
|||
###### interface
|
||||
|
||||
options = {
|
||||
security.setuidPrograms = lib.mkOption {
|
||||
type = lib.types.listOf lib.types.str;
|
||||
default = [];
|
||||
example = ["passwd"];
|
||||
description = ''
|
||||
The Nix store cannot contain setuid/setgid programs directly.
|
||||
For this reason, NixOS can automatically generate wrapper
|
||||
programs that have the necessary privileges. This option
|
||||
lists the names of programs in the system environment for
|
||||
which setuid root wrappers should be created.
|
||||
'';
|
||||
};
|
||||
|
||||
security.wrappers = lib.mkOption {
|
||||
type = lib.types.attrs;
|
||||
default = {};
|
||||
|
|
|
@ -89,7 +89,7 @@ in
|
|||
gid = config.ids.gids.exim;
|
||||
};
|
||||
|
||||
security.setuidPrograms = [ "exim" ];
|
||||
security.wrappers.exim.source = "${exim}/bin/exim";
|
||||
|
||||
systemd.services.exim = {
|
||||
description = "Exim Mail Daemon";
|
||||
|
|
|
@ -273,7 +273,10 @@ in
|
|||
message = "services.smokeping: sendmail and Mailhost cannot both be enabled.";
|
||||
}
|
||||
];
|
||||
security.setuidPrograms = [ "fping" "fping6" ];
|
||||
security.wrappers = {
|
||||
fping.source = "${pkgs.fping}/bin/fping";
|
||||
"fping6".source = "${pkgs.fping}/bin/fping6";
|
||||
};
|
||||
environment.systemPackages = [ pkgs.fping ];
|
||||
users.extraUsers = singleton {
|
||||
name = cfg.user;
|
||||
|
|
|
@ -93,7 +93,7 @@ in
|
|||
|
||||
{ services.cron.enable = mkDefault (allFiles != []); }
|
||||
(mkIf (config.services.cron.enable) {
|
||||
security.setuidPrograms = [ "crontab" ];
|
||||
security.wrappers.crontab.source = "${pkgs.cronNixosPkg.out}/bin/crontab";
|
||||
environment.systemPackages = [ cronNixosPkg ];
|
||||
environment.etc.crontab =
|
||||
{ source = pkgs.runCommand "crontabs" { inherit allFiles; preferLocalBuild = true; }
|
||||
|
|
|
@ -106,7 +106,7 @@ in
|
|||
|
||||
environment.systemPackages = [ pkgs.fcron ];
|
||||
|
||||
security.setuidPrograms = [ "fcrontab" ];
|
||||
security.wrappers.fcrontab.source = "${pkgs.fcron.out}/bin/fcrontab";
|
||||
systemd.services.fcron = {
|
||||
description = "fcron daemon";
|
||||
after = [ "local-fs.target" ];
|
||||
|
|
|
@ -62,7 +62,8 @@ in
|
|||
'';
|
||||
}];
|
||||
|
||||
security.setuidPrograms = [ "e_freqset" ];
|
||||
security.wrappers.e_freqset.source = "${e.enlightenment.out}/bin/e_freqset";
|
||||
|
||||
environment.etc = singleton
|
||||
{ source = "${pkgs.xkeyboard_config}/etc/X11/xkb";
|
||||
target = "X11/xkb";
|
||||
|
|
|
@ -912,9 +912,10 @@ in
|
|||
|
||||
# If the linux kernel IS older than 4.3, create setuid wrappers
|
||||
# for ping and ping6
|
||||
security.setuidPrograms = mkIf (versionOlder (getVersion config.boot.kernelPackages.kernel) "4.3") [
|
||||
"ping" "ping6"
|
||||
];
|
||||
security.wrappers = mkIf (versionOlder (getVersion config.boot.kernelPackages.kernel) "4.3") {
|
||||
ping.source = "${pkgs.iputils.out}/bin/ping";
|
||||
"ping6".source = "${pkgs.iputils.out}/bin/ping6";
|
||||
};
|
||||
|
||||
# Set the host and domain names in the activation script. Don't
|
||||
# clear it if it's not configured in the NixOS configuration,
|
||||
|
|
Loading…
Reference in a new issue