kookie
/
nomicon
1
0
Fork 0
Code Issues Projects Releases 1 Activity

Addressing PR feedback

Browse Source
wip/yesman
Parnell Springmeyer 7 years ago
parent 9de070e620
commit e92b8402b0
No known key found for this signature in database
GPG Key ID: DCCF89258EAD874A
70 changed files with 322 additions and 512 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 2
      nixos/doc/manual/release-notes/rl-1609.xml
  2. 8
      nixos/doc/manual/release-notes/rl-1703.xml
  3. 4
      nixos/modules/config/shells-environment.nix
  4. 2
      nixos/modules/installer/tools/nixos-generate-config.pl
  5. 7
      nixos/modules/installer/tools/nixos-install.sh
  6. 2
      nixos/modules/module-list.nix
  7. 9
      nixos/modules/programs/kbdlight.nix
  8. 9
      nixos/modules/programs/light.nix
  9. 48
      nixos/modules/programs/shadow.nix
  10. 4
      nixos/modules/security/apparmor-suid.nix
  11. 6
      nixos/modules/security/chromium-suid-sandbox.nix
  12. 11
      nixos/modules/security/duosec.nix
  13. 35
      nixos/modules/security/pam.nix
  14. 17
      nixos/modules/security/pam_usb.nix
  15. 191
      nixos/modules/security/permissions-wrappers/default.nix
  16. 18
      nixos/modules/security/polkit.nix
  17. 17
      nixos/modules/security/sudo.nix
  18. 191
      nixos/modules/security/wrappers/default.nix
  19. 0
      nixos/modules/security/wrappers/permissions-wrapper.c
  20. 4
      nixos/modules/security/wrappers/setcap-wrapper-drv.nix
  21. 12
      nixos/modules/security/wrappers/setuid-wrapper-drv.nix
  22. 4
      nixos/modules/services/logging/logcheck.nix
  23. 2
      nixos/modules/services/mail/dovecot.nix
  24. 12
      nixos/modules/services/mail/exim.nix
  25. 2
      nixos/modules/services/mail/mail.nix
  26. 4
      nixos/modules/services/monitoring/munin.nix
  27. 2
      nixos/modules/services/monitoring/smartd.nix
  28. 2
      nixos/modules/services/network-filesystems/samba.nix
  29. 2
      nixos/modules/services/networking/gale.nix
  30. 2
      nixos/modules/services/networking/prayer.nix
  31. 20
      nixos/modules/services/networking/smokeping.nix
  32. 2
      nixos/modules/services/scheduling/atd.nix
  33. 18
      nixos/modules/services/scheduling/cron.nix
  34. 13
      nixos/modules/services/scheduling/fcron.nix
  35. 4
      nixos/modules/services/system/dbus.nix
  36. 11
      nixos/modules/services/x11/desktop-managers/enlightenment.nix
  37. 2
      nixos/modules/services/x11/desktop-managers/kde4.nix
  38. 2
      nixos/modules/services/x11/desktop-managers/kde5.nix
  39. 8
      nixos/modules/system/boot/stage-2-init.sh
  40. 47
      nixos/modules/tasks/network-interfaces.nix
  41. 4
      nixos/modules/virtualisation/virtualbox-host.nix
  42. 2
      nixos/tests/smokeping.nix
  43. 2
      pkgs/applications/editors/sublime3/default.nix
  44. 4
      pkgs/applications/networking/browsers/chromium/default.nix
  45. 2
      pkgs/applications/networking/instant-messengers/gale/gale-install.in.patch
  46. 2
      pkgs/applications/version-management/gitlab/remove-hardcoded-locations.patch
  47. 6
      pkgs/applications/virtualization/virtualbox/hardened.patch
  48. 2
      pkgs/build-support/build-fhs-userenv/env.nix
  49. 6
      pkgs/desktops/enlightenment/enlightenment.nix
  50. 2
      pkgs/development/libraries/kde-frameworks/kinit/start_kdeinit-path.patch
  51. 4
      pkgs/development/libraries/libgksu/default.nix
  52. 2
      pkgs/development/libraries/polkit/default.nix
  53. 2
      pkgs/development/tools/unity3d/default.nix
  54. 2
      pkgs/os-specific/linux/fuse/default.nix
  55. 2
      pkgs/os-specific/linux/mdadm/4.nix
  56. 2
      pkgs/os-specific/linux/mdadm/default.nix
  57. 2
      pkgs/os-specific/linux/pam/default.nix
  58. 2
      pkgs/os-specific/linux/util-linux/default.nix
  59. 2
      pkgs/servers/interlock/default.nix
  60. 2
      pkgs/servers/mail/petidomo/default.nix
  61. 4
      pkgs/servers/monitoring/nagios/plugins/official-2.x.nix
  62. 4
      pkgs/tools/X11/x11vnc/default.nix
  63. 2
      pkgs/tools/admin/certbot/default.nix
  64. 2
      pkgs/tools/misc/debian-devscripts/default.nix
  65. 2
      pkgs/tools/security/ecryptfs/default.nix
  66. 2
      pkgs/tools/security/ecryptfs/helper.nix
  67. 2
      pkgs/tools/security/sudo/default.nix
  68. 2
      pkgs/tools/system/at/default.nix
  69. 2
      pkgs/tools/system/cron/default.nix
  70. 2
      pkgs/tools/system/ts/default.nix

2
nixos/doc/manual/release-notes/rl-1609.xml
Unescape View File

@ -202,7 +202,7 @@ following incompatible changes:</para>
<listitem>
<para>The directory container setuid wrapper programs,
<filename>/var/permissions-wrappers</filename>, <link
<filename>/var/setuid-wrappers</filename>, <link
xlink:href="https://github.com/NixOS/nixpkgs/pull/18124">is now
updated atomically to prevent failures if the switch to a new
configuration is interrupted.</link></para>

8
nixos/doc/manual/release-notes/rl-1703.xml
Unescape View File

@ -15,6 +15,14 @@ has the following highlights: </para>
xlink:href="https://nixos.org/nixpkgs/manual/#sec-overlays-install">Nixpkgs
manual</link> for more information.</para>
</listitem>
<listitem>
<para>Setting capabilities on programs is now supported with a
<literal>setcap-wrapper</literal> functionality. This
functionality and the <literal>setuid-wrapper</literal> are merged
into a single "wrappers" module.</para>
</listitem>
</itemizedlist>
<para>The following new services were added since the last release:</para>

4
nixos/modules/config/shells-environment.nix
Unescape View File

@ -168,8 +168,8 @@ in
${cfg.extraInit}
# The setuid wrappers override other bin directories.
export PATH="${config.security.permissionsWrapperDir}:$PATH"
# The setuid/setcap wrappers override other bin directories.
export PATH="${config.security.wrapperDir}:$PATH"
# ~/bin if it exists overrides other bin directories.
export PATH="$HOME/bin:$PATH"

2
nixos/modules/installer/tools/nixos-generate-config.pl
Unescape View File

@ -343,7 +343,7 @@ foreach my $fs (read_file("/proc/self/mountinfo")) {
# Skip special filesystems.
next if in($mountPoint, "/proc") || in($mountPoint, "/dev") || in($mountPoint, "/sys") || in($mountPoint, "/run") || $mountPoint eq "/var/lib/nfs/rpc_pipefs";
next if $mountPoint eq "/var/permissions-wrappers";
next if $mountPoint eq "/run/wrappers";
# Skip the optional fields.
my $n = 6; $n++ while $fields[$n] ne "-"; $n++;

7
nixos/modules/installer/tools/nixos-install.sh
Unescape View File

@ -92,14 +92,13 @@ fi
mkdir -m 0755 -p $mountPoint/dev $mountPoint/proc $mountPoint/sys $mountPoint/etc $mountPoint/run $mountPoint/home
mkdir -m 01777 -p $mountPoint/tmp
mkdir -m 0755 -p $mountPoint/tmp/root
mkdir -m 0755 -p $mountPoint/var/permissions-wrappers
mkdir -m 0755 -p $mountPoint/var
mkdir -m 0700 -p $mountPoint/root
mount --rbind /dev $mountPoint/dev
mount --rbind /proc $mountPoint/proc
mount --rbind /sys $mountPoint/sys
mount --rbind / $mountPoint/tmp/root
mount -t tmpfs -o "mode=0755" none $mountPoint/run
mount -t tmpfs -o "mode=0755" none $mountPoint/var/permissions-wrappers
rm -rf $mountPoint/var/run
ln -s /run $mountPoint/var/run
for f in /etc/resolv.conf /etc/hosts; do rm -f $mountPoint/$f; [ -f "$f" ] && cp -Lf $f $mountPoint/etc/; done
@ -260,9 +259,9 @@ chroot $mountPoint /nix/var/nix/profiles/system/activate
# Ask the user to set a root password.
if [ -z "$noRootPasswd" ] && chroot $mountPoint [ -x /var/permissions-wrappers/passwd ] && [ -t 0 ]; then
if [ -z "$noRootPasswd" ] && chroot $mountPoint [ -x /run/wrappers/passwd ] && [ -t 0 ]; then
echo "setting root password..."
chroot $mountPoint /var/permissions-wrappers/passwd
chroot $mountPoint /run/wrappers/passwd
fi

2
nixos/modules/module-list.nix
Unescape View File

@ -113,7 +113,7 @@
./security/prey.nix
./security/rngd.nix
./security/rtkit.nix
./security/permissions-wrappers
./security/wrappers
./security/sudo.nix
./services/amqp/activemq/default.nix
./services/amqp/rabbitmq.nix

9
nixos/modules/programs/kbdlight.nix
Unescape View File

@ -11,13 +11,6 @@ in
config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.kbdlight ];
security.permissionsWrappers.setuid =
[ { program = "kbdlight";
source = "${pkgs.kbdlight.out}/bin/kbdlight";
owner = "root";
group = "root";
setuid = true;
}];
security.setuidPrograms = [ "kbdlight" ];
};
}

9
nixos/modules/programs/light.nix
Unescape View File

@ -21,13 +21,6 @@ in
config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.light ];
security.permissionsWrappers.setuid =
[ { program = "light";
source = "${pkgs.light.out}/bin/light";
owner = "root";
group = "root";
setuid = true;
}];
security.setuidPrograms = [ "light" ];
};
}

48
nixos/modules/programs/shadow.nix
Unescape View File

@ -101,49 +101,9 @@ in
chpasswd = { rootOK = true; };
};
security.permissionsWrappers.setuid =
[
{ program = "su";
source = "${pkgs.shadow.su}/bin/su";
owner = "root";
group = "root";
setuid = true;
}
{ program = "chfn";
source = "${pkgs.shadow.out}/bin/chfn";
owner = "root";
group = "root";
setuid = true;
}
] ++
(lib.optionals config.users.mutableUsers
map (x: x // { owner = "root";
group = "root";
setuid = true;
})
[
{ program = "passwd";
source = "${pkgs.shadow.out}/bin/passwd";
}
{ program = "sg";
source = "${pkgs.shadow.out}/bin/sg";
}
{ program = "newgrp";
source = "${pkgs.shadow.out}/bin/newgrp";
}
{ program = "newuidmap";
source = "${pkgs.shadow.out}/bin/newuidmap";
}
{ program = "newgidmap";
source = "${pkgs.shadow.out}/bin/newgidmap";
}
]
);
security.setuidPrograms = [
"su" "chfn" "newuidmap" "newgidmap"
] ++ lib.optionals config.users.mutableUsers
[ "passwd" "sg" "newgrp" ];
};
}

4
nixos/modules/security/apparmor-suid.nix
Unescape View File

@ -19,7 +19,7 @@ with lib;
config = mkIf (cfg.confineSUIDApplications) {
security.apparmor.profiles = [ (pkgs.writeText "ping" ''
#include <tunables/global>
/var/permissions-wrappers/ping {
/run/wrappers/ping {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/nameservice>
@ -33,7 +33,7 @@ with lib;
${pkgs.attr.out}/lib/libattr.so* mr,
${pkgs.iputils}/bin/ping mixr,
/var/permissions-wrappers/ping.real r,
/run/wrappers/ping.real r,
#/etc/modules.conf r,

6
nixos/modules/security/chromium-suid-sandbox.nix
Unescape View File

@ -27,10 +27,6 @@ in
config = mkIf cfg.enable {
environment.systemPackages = [ sandbox ];
security.permissionsWrappers.setuid = [
{ program = sandbox.passthru.sandboxExecutableName;
source = "${sandbox}/bin/${sandbox.passthru.sandboxExecutableName}";
}
];
security.setuidPrograms = [ sandbox.passthru.sandboxExecutableName ];
};
}

11
nixos/modules/security/duosec.nix
Unescape View File

@ -188,16 +188,7 @@ in
environment.systemPackages = [ pkgs.duo-unix ];
security.permissionsWrappers.setuid =
[
{ program = "login_duo";
source = "${pkgs.duo-unix.out}/bin/login_duo";
owner = "root";
group = "root";
setuid = true;
}
];
security.setuidPrograms = [ "login_duo" ];
environment.etc = loginCfgFile ++ pamCfgFile;
/* If PAM *and* SSH are enabled, then don't do anything special.

35
nixos/modules/security/pam.nix
Unescape View File

@ -472,33 +472,14 @@ in
++ optionals config.security.pam.enableU2F [ pkgs.pam_u2f ]
++ optionals config.security.pam.enableEcryptfs [ pkgs.ecryptfs ];
security.permissionsWrappers.setuid =
[
{ program = "unix_chkpwd";
source = "${pkgs.pam}/sbin/unix_chkpwd.orig";
owner = "root";
group = "root";
setuid = true;
}
] ++ (optional config.security.pam.enableEcryptfs
{ program = "umount.ecryptfs_private";
source = "${pkgs.ecryptfs.out}/bin/umount.ecryptfs_private";
owner = "root";
group = "root";
setuid = true;
}
) ++ (optional config.security.pam.enableEcryptfs
{ program = "mount.ecryptfs_private";
source = "${pkgs.ecryptfs.out}/bin/mount.ecryptfs_private";
owner = "root";
group = "root";
setuid = true;
}
);
security.setuidPrograms =
optionals config.security.pam.enableEcryptfs [ "mount.ecryptfs_private" "umount.ecryptfs_private" ];
security.wrappers.unix_chkpwd = {
source = "${pkgs.pam}/sbin/unix_chkpwd.orig";
owner = "root";
setuid = true;
};
environment.etc =
mapAttrsToList (n: v: makePAMService v) config.security.pam.services;

17
nixos/modules/security/pam_usb.nix
Unescape View File

@ -33,22 +33,7 @@ in
config = mkIf (cfg.enable || anyUsbAuth) {
# Make sure pmount and pumount are setuid wrapped.
security.permissionsWrappers.setuid =
[
{ program = "pmount";
source = "${pkgs.pmount.out}/bin/pmount";
owner = "root";
group = "root";
setuid = true;
}
{ program = "pumount";
source = "${pkgs.pmount.out}/bin/pumount";
owner = "root";
group = "root";
setuid = true;
}
];
security.setuidPrograms = [ "pmount" "pumount" ];
environment.systemPackages = [ pkgs.pmount ];

191
nixos/modules/security/permissions-wrappers/default.nix
Unescape View File

@ -1,191 +0,0 @@
{ config, lib, pkgs, ... }:
let
inherit (config.security) run-permissionsWrapperDir permissionsWrapperDir;
isNotNull = v: if v != null then true else false;
cfg = config.security.permissionsWrappers;
setcapWrappers = import ./setcap-wrapper-drv.nix {
inherit config lib pkgs;
};
setuidWrappers = import ./setuid-wrapper-drv.nix {
inherit config lib pkgs;
};
###### Activation script for the setcap wrappers
configureSetcapWrapper =
{ program
, capabilities
, source ? null
, owner ? "nobody"
, group ? "nogroup"
}: ''
cp ${setcapWrappers}/bin/${program}.wrapper $permissionsWrapperDir/${program}
# Prevent races
chmod 0000 $permissionsWrapperDir/${program}
chown ${owner}.${group} $permissionsWrapperDir/${program}
# Set desired capabilities on the file plus cap_setpcap so
# the wrapper program can elevate the capabilities set on
# its file into the Ambient set.
#
# Only set the capabilities though if we're being told to
# do so.
${pkgs.libcap.out}/bin/setcap "cap_setpcap,${capabilities}" $permissionsWrapperDir/${program}
# Set the executable bit
chmod u+rx,g+x,o+x $permissionsWrapperDir/${program}
'';
###### Activation script for the setuid wrappers
configureSetuidWrapper =
{ program
, source ? null
, owner ? "nobody"
, group ? "nogroup"
, setuid ? false
, setgid ? false
, permissions ? "u+rx,g+x,o+x"
}: ''
cp ${setuidWrappers}/bin/${program}.wrapper $permissionsWrapperDir/${program}
# Prevent races
chmod 0000 $permissionsWrapperDir/${program}
chown ${owner}.${group} $permissionsWrapperDir/${program}
chmod "u${if setuid then "+" else "-"}s,g${if setgid then "+" else "-"}s,${permissions}" $permissionsWrapperDir/${program}
'';
in
{
###### interface
options = {
security.permissionsWrappers.setcap = lib.mkOption {
type = lib.types.listOf lib.types.attrs;
default = [];
example =
[ { program = "ping";
source = "${pkgs.iputils.out}/bin/ping";
owner = "nobody";
group = "nogroup";
capabilities = "cap_net_raw+ep";
}
];
description = ''
This option sets capabilities on a wrapper program that
propagates those capabilities down to the wrapped, real
program.
The `program` attribute is the name of the program to be
wrapped. If no `source` attribute is provided, specifying the
absolute path to the program, then the program will be
searched for in the path environment variable.
NOTE: cap_setpcap, which is required for the wrapper program
to be able to raise caps into the Ambient set is NOT raised to
the Ambient set so that the real program cannot modify its own
capabilities!! This may be too restrictive for cases in which
the real program needs cap_setpcap but it at least leans on
the side security paranoid vs. too relaxed.
'';
};
security.permissionsWrappers.setuid = lib.mkOption {
type = lib.types.listOf lib.types.attrs;
default = [];
example =
[ { program = "sendmail";
source = "/nix/store/.../bin/sendmail";
owner = "nobody";
group = "postdrop";
setuid = false;
setgid = true;
permissions = "u+rx,g+x,o+x";
}
];
description = ''
This option allows the ownership and permissions on the setuid
wrappers for specific programs to be overridden from the
default (setuid root, but not setgid root).
'';
};
security.permissionsWrapperDir = lib.mkOption {
type = lib.types.path;
default = "/var/permissions-wrappers";
internal = true;
description = ''
This option defines the path to the permissions wrappers. It
should not be overriden.
'';
};
security.run-permissionsWrapperDir = lib.mkOption {
type = lib.types.path;
default = "/run/permissions-wrapper-dirs";
internal = true;
description = ''
This option defines the run path to the permissions
wrappers. It should not be overriden.
'';
};
};
###### implementation
config = {
# Make sure our setcap-wrapper dir exports to the PATH env
# variable when initializing the shell
environment.extraInit = ''
# The permissions wrappers override other bin directories.
export PATH="${permissionsWrapperDir}:$PATH"
'';
system.activationScripts.wrapper-dir = ''
mkdir -p "${permissionsWrapperDir}"
'';
###### setcap activation script
system.activationScripts.permissions-wrappers =
lib.stringAfter [ "users" ]
''
# Look in the system path and in the default profile for
# programs to be wrapped.
PERMISSIONS_WRAPPER_PATH=${config.system.path}/bin:${config.system.path}/sbin
mkdir -p ${run-permissionsWrapperDir}
permissionsWrapperDir=$(mktemp --directory --tmpdir=${run-permissionsWrapperDir} permissions-wrappers.XXXXXXXXXX)
chmod a+rx $permissionsWrapperDir
${lib.concatMapStrings configureSetcapWrapper (builtins.filter isNotNull cfg.setcap)}
${lib.concatMapStrings configureSetuidWrapper (builtins.filter isNotNull cfg.setuid)}
if [ -L ${permissionsWrapperDir} ]; then
# Atomically replace the symlink
# See https://axialcorps.com/2013/07/03/atomically-replacing-files-and-directories/
old=$(readlink ${permissionsWrapperDir})
ln --symbolic --force --no-dereference $permissionsWrapperDir ${permissionsWrapperDir}-tmp
mv --no-target-directory ${permissionsWrapperDir}-tmp ${permissionsWrapperDir}
rm --force --recursive $old
elif [ -d ${permissionsWrapperDir} ]; then
# Compatibility with old state, just remove the folder and symlink
rm -f ${permissionsWrapperDir}/*
# if it happens to be a tmpfs
${pkgs.utillinux}/bin/umount ${permissionsWrapperDir} || true
rm -d ${permissionsWrapperDir}
ln -d --symbolic $permissionsWrapperDir ${permissionsWrapperDir}
else
# For initial setup
ln --symbolic $permissionsWrapperDir ${permissionsWrapperDir}
fi
'';
};
}

18
nixos/modules/security/polkit.nix
Unescape View File

@ -83,22 +83,8 @@ in
security.pam.services.polkit-1 = {};
security.permissionsWrappers.setuid =
[
{ program = "pkexec";
source = "${pkgs.polkit.out}/bin/pkexec";
owner = "root";
group = "root";
setuid = true;
}
{ program = "polkit-agent-helper-1";
owner = "root";
group = "root";
setuid = true;
source = "${pkgs.polkit.out}/lib/polkit-1/polkit-agent-helper-1";
}
];
security.setuidPrograms = [ "pkexec" ];
security.wrappers."polkit-agent-helper-1".source = "${pkgs.polkit.out}/lib/polkit-1/polkit-agent-helper-1";
system.activationScripts.polkit =
''

17
nixos/modules/security/sudo.nix
Unescape View File

@ -81,22 +81,7 @@ in
${cfg.extraConfig}
'';
security.permissionsWrappers.setuid =
[
{ program = "sudo";
source = "${pkgs.sudo.out}/bin/sudo";
owner = "root";
group = "root";
setuid = true;
}
{ program = "sudoedit";
source = "${pkgs.sudo.out}/bin/sudoedit";
owner = "root";
group = "root";
setuid = true;
}
];
security.setuidPrograms = [ "sudo" "sudoedit" ];
environment.systemPackages = [ sudo ];

191
nixos/modules/security/wrappers/default.nix
Unescape View File

@ -0,0 +1,191 @@
{ config, lib, pkgs, ... }:
let
inherit (config.security) wrapperDir;
isNotNull = v: if v != null || v != "" then true else false;
cfg = config.security.wrappers;
setcapWrappers = import ./setcap-wrapper-drv.nix {
inherit config lib pkgs;
};
setuidWrappers = import ./setuid-wrapper-drv.nix {
inherit config lib pkgs;
};
###### Activation script for the setcap wrappers
mkSetcapProgram =
{ program
, capabilities
, source ? null
, owner ? "nobody"
, group ? "nogroup"
...
}: ''
cp ${setcapWrappers}/bin/${program}.wrapper $wrapperDir/${program}
# Prevent races
chmod 0000 $wrapperDir/${program}
chown ${owner}.${group} $wrapperDir/${program}
# Set desired capabilities on the file plus cap_setpcap so
# the wrapper program can elevate the capabilities set on
# its file into the Ambient set.
#
# Only set the capabilities though if we're being told to
# do so.
${pkgs.libcap.out}/bin/setcap "cap_setpcap,${capabilities}" $wrapperDir/${program}
# Set the executable bit
chmod u+rx,g+x,o+x $wrapperDir/${program}
'';
###### Activation script for the setuid wrappers
mkSetuidProgram =
{ program
, source ? null
, owner ? "nobody"
, group ? "nogroup"
, setuid ? false
, setgid ? false
, permissions ? "u+rx,g+x,o+x"
...
}: ''
cp ${setuidWrappers}/bin/${program}.wrapper $wrapperDir/${program}
# Prevent races
chmod 0000 $wrapperDir/${program}
chown ${owner}.${group} $wrapperDir/${program}
chmod "u${if setuid then "+" else "-"}s,g${if setgid then "+" else "-"}s,${permissions}" $wrapperDir/${program}
'';
in
{
###### interface
options = {
security.wrappers.setcap = lib.mkOption {
type = lib.types.listOf lib.types.attrs;
default = [];
example =
[ { program = "ping";
source = "${pkgs.iputils.out}/bin/ping";
owner = "nobody";
group = "nogroup";
capabilities = "cap_net_raw+ep";
}
];
description = ''
This option sets capabilities on a wrapper program that
propagates those capabilities down to the wrapped, real
program.
The <literal>program</literal> attribute is the name of the
program to be wrapped. If no <literal>source</literal>
attribute is provided, specifying the absolute path to the
program, then the program will be searched for in the path
environment variable.
NOTE: cap_setpcap, which is required for the wrapper program
to be able to raise caps into the Ambient set is NOT raised to
the Ambient set so that the real program cannot modify its own
capabilities!! This may be too restrictive for cases in which
the real program needs cap_setpcap but it at least leans on
the side security paranoid vs. too relaxed.
'';
};
security.setuidPrograms = mkOption {
type = types.listOf types.str;
default = [];
example = ["passwd"];
description = ''
The Nix store cannot contain setuid/setgid programs directly.
For this reason, NixOS can automatically generate wrapper
programs that have the necessary privileges. This option
lists the names of programs in the system environment for
which setuid root wrappers should be created.
'';
};
security.wrappers = lib.mkOption {
type = lib.types.attrs;
default = {};
example = {
sendmail.source = "/nix/store/.../bin/sendmail";
};
description = ''
This option allows the ownership and permissions on the setuid
wrappers for specific programs to be overridden from the
default (setuid root, but not setgid root).
'';
};
security.old-wrapperDir = lib.mkOption {
type = lib.types.path;
default = "/var/setuid-wrappers";
internal = true;
description = ''
This option defines the path to the wrapper programs. It
should not be overriden.
'';
};
security.wrapperDir = lib.mkOption {
type = lib.types.path;
default = "/run/wrappers";
internal = true;
description = ''
This option defines the path to the wrapper programs. It
should not be overriden.
'';
};
};
###### implementation
config = {
# Make sure our setcap-wrapper dir exports to the PATH env
# variable when initializing the shell
environment.extraInit = ''
# The permissions wrappers override other bin directories.
export PATH="${wrapperDir}:$PATH"
'';
###### setcap activation script
system.activationScripts.wrappers =
let
programs =
(map (x: { program = x; owner = "root"; group = "root"; setuid = true; })
config.security.setuidPrograms)
++ lib.mapAttrsToList
(n: v: (if v ? "program" then v else v // {program=n;}))
cfg.wrappers;
wrapperPrograms =
builtins.map
(s: if (s ? "setuid" && s.setuid == true) ||
(s ? "setguid" && s.setguid == true) ||
(s ? "permissions")
then mkSetuidProgram s
else if (s ? "capabilities")
then mkSetcapProgram s
else ""
) programs;
in lib.stringAfter [ "users" ]
''
# Look in the system path and in the default profile for
# programs to be wrapped.
WRAPPER_PATH=${config.system.path}/bin:${config.system.path}/sbin
mkdir -p ${wrapperDir}
wrapperDir=$(mktemp --directory --tmpdir=${wrapperDir} wrappers.XXXXXXXXXX)
chmod a+rx $wrapperDir
${lib.concatStringsSep "\n" (builtins.filter isNotNull cfg.wrappers)}
'';
};
}

0
nixos/modules/security/permissions-wrappers/permissions-wrapper.c → nixos/modules/security/wrappers/permissions-wrapper.c
Unescape View File

4
nixos/modules/security/permissions-wrappers/setcap-wrapper-drv.nix → nixos/modules/security/wrappers/setcap-wrapper-drv.nix
Unescape View File

@ -1,7 +1,7 @@
{ config, lib, pkgs, ... }:
let
cfg = config.security.permissionsWrappers;
cfg = config.security.wrappers;
# Produce a shell-code splice intended to be stitched into one of
# the build or install phases within the derivation.
@ -12,7 +12,7 @@ let
source=/nix/var/nix/profiles/default/bin/${program}
fi
gcc -Wall -O2 -DWRAPPER_SETCAP=1 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${config.security.run-permissionsWrapperDir}\" \
gcc -Wall -O2 -DWRAPPER_SETCAP=1 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${config.security.run-wrapperDir}\" \
-lcap-ng -lcap ${./permissions-wrapper.c} -o $out/bin/${program}.wrapper -L ${pkgs.libcap.lib}/lib -L ${pkgs.libcap_ng}/lib \
-I ${pkgs.libcap.dev}/include -I ${pkgs.libcap_ng}/include -I ${pkgs.linuxHeaders}/include
'';

12
nixos/modules/security/permissions-wrappers/setuid-wrapper-drv.nix → nixos/modules/security/wrappers/setuid-wrapper-drv.nix
Unescape View File

@ -1,18 +1,18 @@
{ config, lib, pkgs, ... }:
let
cfg = config.security.permissionsWrappers;
cfg = config.security.wrappers;
# Produce a shell-code splice intended to be stitched into one of
# the build or install phases within the derivation.
mkSetuidWrapper = { program, source ? null, ...}: ''
if ! source=${if source != null then source else "$(readlink -f $(PATH=$PERMISSIONS_WRAPPER_PATH type -tP ${program}))"}; then
# If we can't find the program, fall back to the
# system profile.
source=/nix/var/nix/profiles/default/bin/${program}
if ! source=${if source != null then source else "$(readlink -f $(PATH=$WRAPPER_PATH type -tP ${program}))"}; then
# If we can't find the program, fall back to the
# system profile.
source=/nix/var/nix/profiles/default/bin/${program}
fi
gcc -Wall -O2 -DWRAPPER_SETUID=1 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${config.security.run-permissionsWrapperDir}\" \
gcc -Wall -O2 -DWRAPPER_SETUID=1 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"${config.security.run-wrapperDir}\" \
-lcap-ng -lcap ${./permissions-wrapper.c} -o $out/bin/${program}.wrapper -L ${pkgs.libcap.lib}/lib -L ${pkgs.libcap_ng}/lib \
-I ${pkgs.libcap.dev}/include -I ${pkgs.libcap_ng}/include -I ${pkgs.linuxHeaders}/include
'';

4
nixos/modules/services/logging/logcheck.nix
Unescape View File

@ -29,8 +29,8 @@ let
};
cronJob = ''
@reboot logcheck env PATH=/var/permissions-wrappers:$PATH nice -n10 ${pkgs.logcheck}/sbin/logcheck -R ${flags}
2 ${cfg.timeOfDay} * * * logcheck env PATH=/var/permissions-wrappers:$PATH nice -n10 ${pkgs.logcheck}/sbin/logcheck ${flags}
@reboot logcheck env PATH=/run/wrappers:$PATH nice -n10 ${pkgs.logcheck}/sbin/logcheck -R ${flags}
2 ${cfg.timeOfDay} * * * logcheck env PATH=/run/wrappers:$PATH nice -n10 ${pkgs.logcheck}/sbin/logcheck ${flags}
'';
writeIgnoreRule = name: {level, regex, ...}:

2
nixos/modules/services/mail/dovecot.nix
Unescape View File

@ -13,7 +13,7 @@ let
''
base_dir = ${baseDir}
protocols = ${concatStringsSep " " cfg.protocols}
sendmail_path = /var/permissions-wrappers/sendmail
sendmail_path = /run/wrappers/sendmail
''
(if isNull cfg.sslServerCert then ''

12
nixos/modules/services/mail/exim.nix
Unescape View File

@ -70,7 +70,7 @@ in
etc."exim.conf".text = ''
exim_user = ${cfg.user}
exim_group = ${cfg.group}
exim_path = /var/permissions-wrappers/exim
exim_path = /run/wrappers/exim
spool_directory = ${cfg.spoolDir}
${cfg.config}
'';
@ -89,15 +89,7 @@ in
gid = config.ids.gids.exim;
};
security.permissionsWrappers.setuid =
[
{ program = "exim";
source = "${pkgs.exim.out}/bin/exim";
owner = "root";
group = "root";
setuid = true;
}
];
security.setuidPrograms = [ "exim" ];
systemd.services.exim = {
description = "Exim Mail Daemon";

2
nixos/modules/services/mail/mail.nix
Unescape View File

@ -26,7 +26,7 @@ with lib;
config = mkIf (config.services.mail.sendmailSetuidWrapper != null) {
security.permissionsWrappers.setuid = [ config.services.mail.sendmailSetuidWrapper ];
security.wrappers.setuid = [ config.services.mail.sendmailSetuidWrapper ];
};

4
nixos/modules/services/monitoring/munin.nix
Unescape View File

@ -34,7 +34,7 @@ let
cap=$(sed -nr 's/.*#%#\s+capabilities\s*=\s*(.+)/\1/p' $file)
wrapProgram $file \
--set PATH "/var/permissions-wrappers:/run/current-system/sw/bin:/run/current-system/sw/bin" \
--set PATH "/run/wrappers:/run/current-system/sw/bin:/run/current-system/sw/bin" \
--set MUNIN_LIBDIR "${pkgs.munin}/lib" \
--set MUNIN_PLUGSTATE "/var/run/munin"
@ -183,7 +183,7 @@ in
mkdir -p /etc/munin/plugins
rm -rf /etc/munin/plugins/*
PATH="/var/permissions-wrappers:/run/current-system/sw/bin:/run/current-system/sw/bin" ${pkgs.munin}/sbin/munin-node-configure --shell --families contrib,auto,manual --config ${nodeConf} --libdir=${muninPlugins} --servicedir=/etc/munin/plugins 2>/dev/null | ${pkgs.bash}/bin/bash
PATH="/run/wrappers:/run/current-system/sw/bin:/run/current-system/sw/bin" ${pkgs.munin}/sbin/munin-node-configure --shell --families contrib,auto,manual --config ${nodeConf} --libdir=${muninPlugins} --servicedir=/etc/munin/plugins 2>/dev/null | ${pkgs.bash}/bin/bash
'';
serviceConfig = {
ExecStart = "${pkgs.munin}/sbin/munin-node --config ${nodeConf} --servicedir /etc/munin/plugins/";

2
nixos/modules/services/monitoring/smartd.nix
Unescape View File

@ -124,7 +124,7 @@ in
};
mailer = mkOption {
default = "/var/permissions-wrappers/sendmail";
default = "/run/wrappers/sendmail";
type = types.path;
description = ''
Sendmail-compatible binary to be used to send the messages.

2
nixos/modules/services/network-filesystems/samba.nix
Unescape View File

@ -30,7 +30,7 @@ let
''
[ global ]
security = ${cfg.securityType}
passwd program = /var/permissions-wrappers/passwd %u
passwd program = /run/wrappers/passwd %u
pam password change = ${smbToString cfg.syncPasswordsByPam}
invalid users = ${smbToString cfg.invalidUsers}

2
nixos/modules/services/networking/gale.nix
Unescape View File

@ -141,7 +141,7 @@ in
setgid = false;
};
security.permissionsWrappers.setuid = [ cfg.setuidWrapper ];
security.wrappers.setuid = [ cfg.setuidWrapper ];
systemd.services.gale-galed = {
description = "Gale messaging daemon";

2
nixos/modules/services/networking/prayer.nix
Unescape View File

@ -18,7 +18,7 @@ let
var_prefix = "${stateDir}"
prayer_user = "${prayerUser}"
prayer_group = "${prayerGroup}"
sendmail_path = "/var/permissions-wrappers/sendmail"
sendmail_path = "/run/wrappers/sendmail"
use_http_port ${cfg.port}

20
nixos/modules/services/networking/smokeping.nix
Unescape View File

@ -219,14 +219,14 @@ in
type = types.string;
default = ''
+ FPing
binary = ${config.security.permissionsWrapperDir}/fping
binary = ${config.security.wrapperDir}/fping
'';
description = "Probe configuration";
};
sendmail = mkOption {
type = types.nullOr types.path;
default = null;
example = "/var/permissions-wrappers/sendmail";
example = "/run/wrappers/sendmail";
description = "Use this sendmail compatible script to deliver alerts";
};
smokeMailTemplate = mkOption {
@ -273,21 +273,7 @@ in
message = "services.smokeping: sendmail and Mailhost cannot both be enabled.";
}
];
security.permissionsWrappers.setuid = [
{ program = "fping";
source = "${pkgs.fping}/bin/fping";
owner = "root";
group = "root";
setuid = true;
}
{ program = "fping";
source = "${pkgs.fping}/bin/fping6";
owner = "root";
group = "root";
setuid = true;
}
];
security.setuidPrograms = [ "fping" "fping6" ];
environment.systemPackages = [ pkgs.fping ];
users.extraUsers = singleton {
name = cfg.user;

2
nixos/modules/services/scheduling/atd.nix
Unescape View File

@ -42,7 +42,7 @@ in
config = mkIf cfg.enable {
security.permissionsWrappers.setuid = map (program: {
security.wrappers.setuid = map (program: {
inherit program;
source = "${pkgs.atd}/bin/${program}";

18
nixos/modules/services/scheduling/cron.nix
Unescape View File

@ -20,7 +20,7 @@ let
cronNixosPkg = pkgs.cron.override {
# The mail.nix nixos module, if there is any local mail system enabled,
# should have sendmail in this path.
sendmailPath = "/var/permissions-wrappers/sendmail";
sendmailPath = "/run/wrappers/sendmail";
};
allFiles =
@ -61,7 +61,7 @@ in
A list of Cron jobs to be appended to the system-wide
crontab. See the manual page for crontab for the expected
format. If you want to get the results mailed you must setuid
sendmail. See <option>security.permissionsWrappers.setuid</option>
sendmail. See <option>security.wrappers.setuid</option>
If neither /var/cron/cron.deny nor /var/cron/cron.allow exist only root
will is allowed to have its own crontab file. The /var/cron/cron.deny file
@ -92,21 +92,9 @@ in
config = mkMerge [
{ services.cron.enable = mkDefault (allFiles != []); }
(mkIf (config.services.cron.enable) {
security.permissionsWrappers.setuid =
[
{ program = "crontab";
source = "${pkgs.cronNixosPkg.out}/bin/crontab";
owner = "root";
group = "root";
setuid = true;
}
];
security.setuidPrograms = [ "crontab" ];
environment.systemPackages = [ cronNixosPkg ];
environment.etc.crontab =
{ source = pkgs.runCommand "crontabs" { inherit allFiles; preferLocalBuild = true; }
''

13
nixos/modules/services/scheduling/fcron.nix
Unescape View File

@ -96,7 +96,7 @@ in
fcronallow = /etc/fcron.allow
fcrondeny = /etc/fcron.deny
shell = /bin/sh
sendmail = /var/permissions-wrappers/sendmail
sendmail = /run/wrappers/sendmail
editor = /run/current-system/sw/bin/vi
'';
target = "fcron.conf";
@ -106,16 +106,7 @@ in
environment.systemPackages = [ pkgs.fcron ];
security.permissionsWrappers.setuid =
[
{ program = "fcrontab";
source = "${pkgs.fcron.out}/bin/fcrontab";
owner = "root";
group = "root";
setuid = true;
}
];
security.setuidPrograms = [ "fcrontab" ];
systemd.services.fcron = {
description = "fcron daemon";
after = [ "local-fs.target" ];

4
nixos/modules/services/system/dbus.nix
Unescape View File

@ -38,7 +38,7 @@ let
sed -ri "s@/etc/dbus-1/(system|session)-@$out/\1-@" $out/{system,session}.conf
sed '${./dbus-system-local.conf.in}' \
-e 's,@servicehelper@,${config.security.permissionsWrapperDir}/dbus-daemon-launch-helper,g' \
-e 's,@servicehelper@,${config.security.wrapperDir}/dbus-daemon-launch-helper,g' \
-e 's,@extra@,${systemExtraxml},' \
> "$out/system-local.conf"
@ -114,7 +114,7 @@ in
systemd.packages = [ pkgs.dbus.daemon ];
security.permissionsWrappers.setuid = singleton
security.wrappers.setuid = singleton
{ program = "dbus-daemon-launch-helper";
source = "${pkgs.dbus.daemon}/libexec/dbus-daemon-launch-helper";
owner = "root";

11
nixos/modules/services/x11/desktop-managers/enlightenment.nix
Unescape View File

@ -62,16 +62,7 @@ in
'';
}];
security.permissionsWrappers.setuid =
[
{ program = "e_freqset";
source = "${e.enlightenment.out}/bin/e_freqset";
owner = "root";
group = "root";
setuid = true;
}
];
security.setuidPrograms = [ "e_freqset" ];
environment.etc = singleton
{ source = "${pkgs.xkeyboard_config}/etc/X11/xkb";
target = "X11/xkb";

2
nixos/modules/services/x11/desktop-managers/kde4.nix
Unescape View File

@ -131,7 +131,7 @@ in
'';
};
security.permissionsWrappers.setuid = singleton
security.wrappers.setuid = singleton
{ program = "kcheckpass";
source = "${kde_workspace}/lib/kde4/libexec/kcheckpass";
owner = "root";

2
nixos/modules/services/x11/desktop-managers/kde5.nix
Unescape View File

@ -68,7 +68,7 @@ in
'';
};
security.permissionsWrappers.setuid = [
security.wrappers.setuid = [
{
program = "kcheckpass";
source = "${kde5.plasma-workspace.out}/lib/libexec/kcheckpass";

8
nixos/modules/system/boot/stage-2-init.sh
Unescape View File

@ -131,10 +131,10 @@ if [ -n "@useHostResolvConf@" -a -e /etc/resolv.conf ]; then
cat /etc/resolv.conf | resolvconf -m 1000 -a host
fi
# Create /var/permissions-wrappers as a tmpfs.
rm -rf /var/permissions-wrappers
mkdir -m 0755 -p /var/permissions-wrappers
mount -t tmpfs -o "mode=0755" tmpfs /var/permissions-wrappers
# Create /run/wrappers as a tmpfs.
rm -rf /run/wrappers
mkdir -m 0755 -p /run/wrappers
mount -t tmpfs -o "mode=0755" tmpfs /run/wrappers
# Log the script output to /dev/kmsg or /run/log/stage-2-init.log.
# Only at this point are all the necessary prerequisites ready for these commands.

47
nixos/modules/tasks/network-interfaces.nix
Unescape View File

@ -898,38 +898,23 @@ in
# Capabilities won't work unless we have at-least a 4.3 Linux
# kernel because we need the ambient capability
security.permissionsWrappers.setcap = mkIf (versionAtLeast (getVersion config.boot.kernelPackages.kernel) "4.3") (
[
{ program = "ping";
source = "${pkgs.iputils.out}/bin/ping";
capabilities = "cap_net_raw+p";
}
security.wrappers = mkIf (versionAtLeast (getVersion config.boot.kernelPackages.kernel) "4.3") {
ping = {
source = "${pkgs.iputils.out}/bin/ping";
capabilities = "cap_net_raw+p";
};
{ program = "ping6";
source = "${pkgs.iputils.out}/bin/ping6";
capabilities = "cap_net_raw+p";
}
]
);
# If our linux kernel IS older than 4.3, let's setuid ping and ping6
security.permissionsWrappers.setuid = mkIf (versionOlder (getVersion config.boot.kernelPackages.kernel) "4.3") (
[
{ program = "ping";
source = "${pkgs.iputils.out}/bin/ping";
owner = "root";
group = "root";
setuid = true;
}
{ program = "ping6";
source = "${pkgs.iputils.out}/bin/ping6";
owner = "root";
group = "root";
setuid = true;
}
]
);
ping6 = {
source = "${pkgs.iputils.out}/bin/ping6";
capabilities = "cap_net_raw+p";
};
};
# If the linux kernel IS older than 4.3, create setuid wrappers
# for ping and ping6
security.setuidPrograms = mkIf (versionOlder (getVersion config.boot.kernelPackages.kernel) "4.3") [
"ping" "ping6"
];
# Set the host and domain names in the activation script. Don't
# clear it if it's not configured in the NixOS configuration,

4
nixos/modules/virtualisation/virtualbox-host.nix
Unescape View File

@ -68,7 +68,7 @@ in
boot.extraModulePackages = [ kernelModules ];
environment.systemPackages = [ virtualbox ];
security.permissionsWrappers.setuid = let
security.wrappers.setuid = let
mkSuid = program: {
inherit program;
source = "${virtualbox}/libexec/virtualbox/${program}";
@ -99,7 +99,7 @@ in
SUBSYSTEM=="usb", ACTION=="remove", ENV{DEVTYPE}=="usb_device", RUN+="${virtualbox}/libexec/virtualbox/VBoxCreateUSBNode.sh --remove $major $minor"
'';
# Since we lack the right setuid binaries, set up a host-only network by default.
# Since we lack the right setuid/setcap binaries, set up a host-only network by default.
} (mkIf cfg.addNetworkInterface {
systemd.services."vboxnet0" =
{ description = "VirtualBox vboxnet0 Interface";

2
nixos/tests/smokeping.nix
Unescape View File

@ -14,7 +14,7 @@ import ./make-test.nix ({ pkgs, ...} : {
mailHost = "127.0.0.2";
probeConfig = ''
+ FPing
binary = /var/permissions-wrappers/fping
binary = /run/wrappers/fping
offset = 0%
'';
};

2
pkgs/applications/editors/sublime3/default.nix
Unescape View File

@ -1,5 +1,5 @@
{ fetchurl, stdenv, glib, xorg, cairo, gtk2, pango, makeWrapper, openssl, bzip2,
pkexecPath ? "/var/permissions-wrappers/pkexec", libredirect,
pkexecPath ? "/run/wrappers/pkexec", libredirect,
gksuSupport ? false, gksu}:
assert stdenv.system == "i686-linux" || stdenv.system == "x86_64-linux";

4
pkgs/applications/networking/browsers/chromium/default.nix
Unescape View File

@ -83,9 +83,9 @@ in stdenv.mkDerivation {
ed -v -s "$out/bin/chromium" << EOF
2i
if [ -x "/var/permissions-wrappers/${sandboxExecutableName}" ]
if [ -x "/run/wrappers/${sandboxExecutableName}" ]
then
export CHROME_DEVEL_SANDBOX="/var/permissions-wrappers/${sandboxExecutableName}"
export CHROME_DEVEL_SANDBOX="/run/wrappers/${sandboxExecutableName}"
else
export CHROME_DEVEL_SANDBOX="$sandbox/bin/${sandboxExecutableName}"
fi

2
pkgs/applications/networking/instant-messengers/gale/gale-install.in.patch
Unescape View File

@ -26,7 +26,7 @@ index 50e8ad8..eec0ed2 100644
+ is_nixos=no
+fi
+
+if [ -u /var/permissions-wrappers/gksign ]; then
+if [ -u /run/wrappers/gksign ]; then
+ cat <<EOM
+
+Gale appears to have already been set up via the NixOS module system (check

2
pkgs/applications/version-management/gitlab/remove-hardcoded-locations.patch
Unescape View File

@ -11,7 +11,7 @@ index a9d8ac4..85f13f5 100644
- # # arguments: '-i -t'
- # # }
+ config.action_mailer.sendmail_settings = {
+ location: '/var/permissions-wrappers/sendmail',
+ location: '/run/wrappers/sendmail',
+ arguments: '-i -t'
+ }
config.action_mailer.perform_deliveries = true

6
pkgs/applications/virtualization/virtualbox/hardened.patch
Unescape View File

@ -96,7 +96,7 @@ index 95dc9a7..39170bc 100644
/* get the path to the executable */
char szPath[RTPATH_MAX];
- RTPathAppPrivateArch(szPath, sizeof(szPath) - 1);
+ RTStrCopy(szPath, sizeof(szPath) - 1, "/var/permissions-wrappers");
+ RTStrCopy(szPath, sizeof(szPath) - 1, "/run/wrappers");
size_t cchBufLeft = strlen(szPath);
szPath[cchBufLeft++] = RTPATH_DELIMITER;
szPath[cchBufLeft] = 0;
@ -154,7 +154,7 @@ index be2ad8f..7ddf105 100644
+RTDECL(int) RTPathSuidDir(char *pszPath, size_t cchPath)
+{
+ return RTStrCopy(pszPath, cchPath, "/var/permissions-wrappers");
+ return RTStrCopy(pszPath, cchPath, "/run/wrappers");
+}
+
+
@ -174,7 +174,7 @@ index 7bde6af..2656cae 100644
+ * will cut off everything after the rightmost / as this function is analogous
+ * to RTProcGetExecutablePath().
+ */
+#define SUIDDIR "/var/permissions-wrappers/"
+#define SUIDDIR "/run/wrappers/"
+
+RTR3DECL(char *) RTProcGetSuidPath(char *pszExecPath, size_t cbExecPath)
+{

2
pkgs/build-support/build-fhs-userenv/env.nix vendored
Unescape View File

@ -51,7 +51,7 @@ let
export PS1='${name}-chrootenv:\u@\h:\w\$ '
export LOCALE_ARCHIVE='/usr/lib/locale/locale-archive'
export LD_LIBRARY_PATH='/run/opengl-driver/lib:/run/opengl-driver-32/lib:/usr/lib:/usr/lib32'
export PATH='/var/permissions-wrappers:/usr/bin:/usr/sbin'
export PATH='/run/wrappers:/usr/bin:/usr/sbin'
export PKG_CONFIG_PATH=/usr/lib/pkgconfig
# Force compilers to look in default search paths

6
pkgs/desktops/enlightenment/enlightenment.nix
Unescape View File

@ -42,13 +42,13 @@ stdenv.mkDerivation rec {
# this is a hack and without this cpufreq module is not working. does the following:
# 1. moves the "freqset" binary to "e_freqset",
# 2. linkes "e_freqset" to enlightenment/bin so that,
# 3. permissionsWrappers.setuid detects it and places wrappers in /var/permissions-wrappers/e_freqset,
# 4. and finally, links /var/permissions-wrappers/e_freqset to original destination where enlightenment wants it
# 3. wrappers.setuid detects it and places wrappers in /run/wrappers/e_freqset,
# 4. and finally, links /run/wrappers/e_freqset to original destination where enlightenment wants it
postInstall = ''
export CPUFREQ_DIRPATH=`readlink -f $out/lib/enlightenment/modules/cpufreq/linux-gnu-*`;
mv $CPUFREQ_DIRPATH/freqset $CPUFREQ_DIRPATH/e_freqset
ln -sv $CPUFREQ_DIRPATH/e_freqset $out/bin/e_freqset
ln -sv /var/permissions-wrappers/e_freqset $CPUFREQ_DIRPATH/freqset
ln -sv /run/wrappers/e_freqset $CPUFREQ_DIRPATH/freqset
'';
meta = with stdenv.lib; {

2
pkgs/development/libraries/kde-frameworks/kinit/start_kdeinit-path.patch
Unescape View File

@ -7,7 +7,7 @@ Index: kinit-5.24.0/src/start_kdeinit/start_kdeinit_wrapper.c
#include <unistd.h>
-#define EXECUTE CMAKE_INSTALL_FULL_LIBEXECDIR_KF5 "/start_kdeinit"
+#define EXECUTE "/var/permissions-wrappers/start_kdeinit"
+#define EXECUTE "/run/wrappers/start_kdeinit"
#if KDEINIT_OOM_PROTECT

4
pkgs/development/libraries/libgksu/default.nix
Unescape View File

@ -57,8 +57,8 @@ stdenv.mkDerivation rec {
# Fix some binary paths
sed -i -e 's|/usr/bin/xauth|${xauth}/bin/xauth|g' libgksu/gksu-run-helper.c libgksu/libgksu.c
sed -i -e 's|/usr/bin/sudo|/var/permissions-wrappers/sudo|g' libgksu/libgksu.c
sed -i -e 's|/bin/su\([^d]\)|/var/permissions-wrappers/su\1|g' libgksu/libgksu.c
sed -i -e 's|/usr/bin/sudo|/run/wrappers/sudo|g' libgksu/libgksu.c
sed -i -e 's|/bin/su\([^d]\)|/run/wrappers/su\1|g' libgksu/libgksu.c
touch NEWS README
'';

2
pkgs/development/libraries/polkit/default.nix
Unescape View File

@ -5,7 +5,7 @@
let
system = "/var/run/current-system/sw";
setuid = "/var/permissions-wrappers"; #TODO: from <nixos> config.security.wrapperDir;
setuid = "/run/wrappers"; #TODO: from <nixos> config.security.wrapperDir;
foolVars = {
SYSCONF = "/etc";

2
pkgs/development/tools/unity3d/default.nix
Unescape View File

@ -94,7 +94,7 @@ in stdenv.mkDerivation rec {
unitydir="$out/opt/Unity/Editor"
mkdir -p $unitydir
mv Editor/* $unitydir
ln -sf /var/permissions-wrappers/${chromium.sandboxExecutableName} $unitydir/chrome-sandbox
ln -sf /run/wrappers/${chromium.sandboxExecutableName} $unitydir/chrome-sandbox
mkdir -p $out/share/applications
sed "/^Exec=/c\Exec=$out/bin/unity-editor" \

2
pkgs/os-specific/linux/fuse/default.nix
Unescape View File

@ -23,7 +23,7 @@ stdenv.mkDerivation rec {
# Ensure that FUSE calls the setuid wrapper, not
# $out/bin/fusermount. It falls back to calling fusermount in
# $PATH, so it should also work on non-NixOS systems.
export NIX_CFLAGS_COMPILE="-DFUSERMOUNT_DIR=\"/var/permissions-wrappers\""
export NIX_CFLAGS_COMPILE="-DFUSERMOUNT_DIR=\"/run/wrappers\""
sed -e 's@/bin/@${utillinux}/bin/@g' -i lib/mount_util.c
sed -e 's@CONFIG_RPATH=/usr/share/gettext/config.rpath@CONFIG_RPATH=${gettext}/share/gettext/config.rpath@' -i makeconf.sh

2
pkgs/os-specific/linux/mdadm/4.nix
Unescape View File

@ -31,7 +31,7 @@ stdenv.mkDerivation rec {
preConfigure = ''
sed -e 's@/lib/udev@''${out}/lib/udev@' \
-e 's@ -Werror @ @' \
-e 's@/usr/sbin/sendmail@/var/permissions-wrappers/sendmail@' -i Makefile
-e 's@/usr/sbin/sendmail@/run/wrappers/sendmail@' -i Makefile
'';
meta = {

2
pkgs/os-specific/linux/mdadm/default.nix
Unescape View File

@ -31,7 +31,7 @@ stdenv.mkDerivation rec {
preConfigure = ''
sed -e 's@/lib/udev@''${out}/lib/udev@' \
-e 's@ -Werror @ @' \
-e 's@/usr/sbin/sendmail@/var/permissions-wrappers/sendmail@' -i Makefile
-e 's@/usr/sbin/sendmail@/run/wrappers/sendmail@' -i Makefile
'';
meta = {

2
pkgs/os-specific/linux/pam/default.nix
Unescape View File

@ -34,7 +34,7 @@ stdenv.mkDerivation rec {
postInstall = ''
mv -v $out/sbin/unix_chkpwd{,.orig}
ln -sv /var/permissions-wrappers/unix_chkpwd $out/sbin/unix_chkpwd
ln -sv /run/wrappers/unix_chkpwd $out/sbin/unix_chkpwd
''; /*
rm -rf $out/etc
mkdir -p $modules/lib

2
pkgs/os-specific/linux/util-linux/default.nix
Unescape View File

@ -36,7 +36,7 @@ stdenv.mkDerivation rec {
--enable-last
--enable-mesg
--disable-use-tty-group
--enable-fs-paths-default=/var/permissions-wrappers:/var/run/current-system/sw/bin:/sbin
--enable-fs-paths-default=/run/wrappers:/var/run/current-system/sw/bin:/sbin
${if ncurses == null then "--without-ncurses" else ""}
${if systemd == null then "" else ''
--with-systemd

2
pkgs/servers/interlock/default.nix
Unescape View File

@ -30,7 +30,7 @@ buildGoPackage rec {
-e 's|/bin/chown|${coreutils}/bin/chown|' \
-e 's|/bin/date|${coreutils}/bin/date|' \
-e 's|/sbin/poweroff|${systemd}/sbin/poweroff|' \
-e 's|/usr/bin/sudo|/var/permissions-wrappers/sudo|' \
-e 's|/usr/bin/sudo|/run/wrappers/sudo|' \
-e 's|/sbin/cryptsetup|${cryptsetup}/bin/cryptsetup|'
'';
}

2
pkgs/servers/mail/petidomo/default.nix
Unescape View File

@ -1,4 +1,4 @@
{ stdenv, fetchurl, flex, bison, sendmailPath ? "/var/permissions-wrappers/sendmail" }:
{ stdenv, fetchurl, flex, bison, sendmailPath ? "/run/wrappers/sendmail" }:
stdenv.mkDerivation rec {
name = "petidomo-4.3";

4
pkgs/servers/monitoring/nagios/plugins/official-2.x.nix
Unescape View File

@ -16,8 +16,8 @@ stdenv.mkDerivation rec {
# configured on the build machine).
preConfigure= "
configureFlagsArray=(
--with-ping-command='/var/permissions-wrappers/ping -n -U -w %d -c %d %s'
--with-ping6-command='/var/permissions-wrappers/ping6 -n -U -w %d -c %d %s'
--with-ping-command='/run/wrappers/ping -n -U -w %d -c %d %s'
--with-ping6-command='/run/wrappers/ping6 -n -U -w %d -c %d %s'
)
";

4
pkgs/tools/X11/x11vnc/default.nix
Unescape View File

@ -20,10 +20,10 @@ stdenv.mkDerivation rec {
configureFlags="--mandir=$out/share/man"
substituteInPlace x11vnc/unixpw.c \
--replace '"/bin/su"' '"/var/permissions-wrappers/su"' \
--replace '"/bin/su"' '"/run/wrappers/su"' \
--replace '"/bin/true"' '"${coreutils}/bin/true"'
sed -i -e '/#!\/bin\/sh/a"PATH=${xorg.xdpyinfo}\/bin:${xorg.xauth}\/bin:$PATH\\n"' -e 's|/bin/su|/var/permissions-wrappers/su|g' x11vnc/ssltools.h
sed -i -e '/#!\/bin\/sh/a"PATH=${xorg.xdpyinfo}\/bin:${xorg.xauth}\/bin:$PATH\\n"' -e 's|/bin/su|/run/wrappers/su|g' x11vnc/ssltools.h
'';
meta = {

2
pkgs/tools/admin/certbot/default.nix
Unescape View File

@ -31,7 +31,7 @@ python2Packages.buildPythonApplication rec {
buildInputs = [ dialog ] ++ (with python2Packages; [ nose mock gnureadline ]);
patchPhase = ''
substituteInPlace certbot/notify.py --replace "/usr/sbin/sendmail" "/var/permissions-wrappers/sendmail"
substituteInPlace certbot/notify.py --replace "/usr/sbin/sendmail" "/run/wrappers/sendmail"
substituteInPlace certbot/util.py --replace "sw_vers" "/usr/bin/sw_vers"
'';

2
pkgs/tools/misc/debian-devscripts/default.nix
Unescape View File

@ -2,7 +2,7 @@
, FileDesktopEntry, libxslt, docbook_xsl, makeWrapper
, python3Packages
, perlPackages, curl, gnupg, diffutils
, sendmailPath ? "/var/permissions-wrappers/sendmail"
, sendmailPath ? "/run/wrappers/sendmail"
}:
let

2
pkgs/tools/security/ecryptfs/default.nix
Unescape View File

@ -11,7 +11,7 @@ stdenv.mkDerivation rec {
};
# TODO: replace wrapperDir below with from <nixos> config.security.wrapperDir;
wrapperDir = "/var/permissions-wrappers";
wrapperDir = "/run/wrappers";
postPatch = ''
FILES="$(grep -r '/bin/sh' src/utils -l; find src -name \*.c)"

2
pkgs/tools/security/ecryptfs/helper.nix
Unescape View File

@ -18,7 +18,7 @@ stdenv.mkDerivation rec {
buildInputs = [ makeWrapper ];
# Do not hardcode PATH to ${ecryptfs} as we need the script to invoke executables from /var/permissions-wrappers
# Do not hardcode PATH to ${ecryptfs} as we need the script to invoke executables from /run/wrappers
installPhase = ''
mkdir -p $out/bin $out/libexec
cp $src $out/libexec/ecryptfs-helper.py

2
pkgs/tools/security/sudo/default.nix
Unescape View File

@ -1,5 +1,5 @@
{ stdenv, fetchurl, coreutils, pam, groff
, sendmailPath ? "/var/permissions-wrappers/sendmail"
, sendmailPath ? "/run/wrappers/sendmail"
, withInsults ? false
}:

2
pkgs/tools/system/at/default.nix
Unescape View File

@ -1,4 +1,4 @@
{ fetchurl, stdenv, bison, flex, pam, sendmailPath ? "/var/permissions-wrappers/sendmail" }:
{ fetchurl, stdenv, bison, flex, pam, sendmailPath ? "/run/wrappers/sendmail" }:
stdenv.mkDerivation {
name = "at-3.1.16";

2
pkgs/tools/system/cron/default.nix
Unescape View File

@ -23,7 +23,7 @@ stdenv.mkDerivation {
#define _PATH_SENDMAIL "${sendmailPath}"
#undef _PATH_DEFPATH
#define _PATH_DEFPATH "/var/permissions-wrappers:/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/run/current-system/sw/bin:/run/current-system/sw/sbin:/usr/bin:/bin"
#define _PATH_DEFPATH "/run/wrappers:/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/run/current-system/sw/bin:/run/current-system/sw/sbin:/usr/bin:/bin"
__EOT__
# Implicit saved uids do not work here due to way NixOS uses setuid wrappers

2
pkgs/tools/system/ts/default.nix
Unescape View File

@ -1,5 +1,5 @@
{stdenv, fetchurl,
sendmailPath ? "/var/permissions-wrappers/sendmail" }:
sendmailPath ? "/run/wrappers/sendmail" }:
stdenv.mkDerivation rec {

Write Preview
Loading…
Cancel
Save