Merge pull request #140359 from rnhmjoj/setgid-nobody

nixos: make setgid wrappers root-owned

nixos/modules/programs/ccache.nix

@@ -28,7 +28,7 @@ in {
 
       # "nix-ccache --show-stats" and "nix-ccache --clear"
       security.wrappers.nix-ccache = {
-        owner = "nobody";
+        owner = "root";
         group = "nixbld";
         setuid = false;
         setgid = true;

nixos/modules/programs/mosh.nix

@@ -33,7 +33,7 @@ in
     security.wrappers = mkIf cfg.withUtempter {
       utempter = {
         source = "${pkgs.libutempter}/lib/utempter/utempter";
-        owner = "nobody";
+        owner = "root";
         group = "utmp";
         setuid = false;
         setgid = true;

nixos/modules/services/mail/opensmtpd.nix

@@ -103,7 +103,7 @@ in {
     };
 
     security.wrappers.smtpctl = {
-      owner = "nobody";
+      owner = "root";
       group = "smtpq";
       setuid = false;
       setgid = true;

nixos/modules/services/mail/postfix.nix

@@ -674,7 +674,7 @@ in
       services.mail.sendmailSetuidWrapper = mkIf config.services.postfix.setSendmail {
         program = "sendmail";
         source = "${pkgs.postfix}/bin/sendmail";
-        owner = "nobody";
+        owner = "root";
         group = setgidGroup;
         setuid = false;
         setgid = true;
@@ -683,7 +683,7 @@ in
       security.wrappers.mailq = {
         program = "mailq";
         source = "${pkgs.postfix}/bin/mailq";
-        owner = "nobody";
+        owner = "root";
         group = setgidGroup;
         setuid = false;
         setgid = true;
@@ -692,7 +692,7 @@ in
       security.wrappers.postqueue = {
         program = "postqueue";
         source = "${pkgs.postfix}/bin/postqueue";
-        owner = "nobody";
+        owner = "root";
         group = setgidGroup;
         setuid = false;
         setgid = true;
@@ -701,7 +701,7 @@ in
       security.wrappers.postdrop = {
         program = "postdrop";
         source = "${pkgs.postfix}/bin/postdrop";
-        owner = "nobody";
+        owner = "root";
         group = setgidGroup;
         setuid = false;
         setgid = true;

nixos/modules/services/x11/desktop-managers/cde.nix

@@ -50,7 +50,7 @@ in {
     security.wrappers = {
       dtmail = {
         setgid = true;
-        owner = "nobody";
+        owner = "root";
         group = "mail";
         source = "${pkgs.cdesktopenv}/bin/dtmail";
       };