More derp

This commit is contained in:
Parnell Springmeyer 2017-01-29 05:33:56 -06:00
parent 70b8167d4a
commit 628e6a83d0
No known key found for this signature in database
GPG Key ID: DCCF89258EAD874A
13 changed files with 38 additions and 42 deletions

View File

@ -27,6 +27,6 @@ in
config = mkIf cfg.enable {
environment.systemPackages = [ sandbox ];
security.setuidPrograms = [ sandbox.passthru.sandboxExecutableName ];
security.wrappers."${sandbox.passthru.sandboxExecutableName}".source = "${sandbox}/bin/${sandbox.passthru.sandboxExecutableName}";
};
}

View File

@ -188,7 +188,7 @@ in
environment.systemPackages = [ pkgs.duo-unix ];
security.setuidPrograms = [ "login_duo" ];
security.wrappers.login_duo.source = "${pkgs.duo-unix.out}/bin/login_duo";
environment.etc = loginCfgFile ++ pamCfgFile;
/* If PAM *and* SSH are enabled, then don't do anything special.

View File

@ -472,14 +472,19 @@ in
++ optionals config.security.pam.enableU2F [ pkgs.pam_u2f ]
++ optionals config.security.pam.enableEcryptfs [ pkgs.ecryptfs ];
security.setuidPrograms =
security.wrapperssetuidPrograms =
optionals config.security.pam.enableEcryptfs [ "mount.ecryptfs_private" "umount.ecryptfs_private" ];
security.wrappers.unix_chkpwd = {
security.wrappers = {
unix_chkpwd = {
source = "${pkgs.pam}/sbin/unix_chkpwd.orig";
owner = "root";
setuid = true;
};
} // (mkIf config.security.pam.enableEcryptfs {
"mount.ecryptfs_private".source = "${pkgs.ecryptfs.out}/bin/mount.ecryptfs_private";
"umount.ecryptfs_private".source = "${pkgs.ecryptfs.out}/bin/umount.ecryptfs_private";
};
environment.etc =
mapAttrsToList (n: v: makePAMService v) config.security.pam.services;

View File

@ -33,7 +33,10 @@ in
config = mkIf (cfg.enable || anyUsbAuth) {
# Make sure pmount and pumount are setuid wrapped.
security.setuidPrograms = [ "pmount" "pumount" ];
security.wrappers = {
pmount.source = "${pkgs.pmount.out}/bin/pmount";
pumount.source = "${pkgs.pmount.out}/bin/pumount";
};
environment.systemPackages = [ pkgs.pmount ];

View File

@ -83,8 +83,10 @@ in
security.pam.services.polkit-1 = {};
security.setuidPrograms = [ "pkexec" ];
security.wrappers."polkit-agent-helper-1".source = "${pkgs.polkit.out}/lib/polkit-1/polkit-agent-helper-1";
security.wrappers = {
pkexec.source = "${pkgs.polkit.out}/bin/pkexec";
"polkit-agent-helper-1".source = "${pkgs.polkit.out}/lib/polkit-1/polkit-agent-helper-1";
};
system.activationScripts.polkit =
''

View File

@ -81,7 +81,10 @@ in
${cfg.extraConfig}
'';
security.setuidPrograms = [ "sudo" "sudoedit" ];
security.wrappers = {
sudo.source = "${pkgs.sudo.out}/bin/sudo";
sudoedit.source = "${pkgs.sudo.out}/bin/sudoedit";
};
environment.systemPackages = [ sudo ];

View File

@ -4,22 +4,13 @@ let
inherit (config.security) wrapperDir wrappers setuidPrograms;
programs =
(map (x: { program = x; owner = "root"; group = "root"; setuid = true; }) setuidPrograms)
++
(lib.mapAttrsToList
(n: v: (if v ? "program" then v else v // {program=n;}))
wrappers);
mkWrapper = { program, source ? null, ...}: ''
if ! source=${if source != null || source != "" then source else "$(readlink -f $(PATH=$WRAPPER_PATH type -tP ${program}))"}; then
# If we can't find the program, fall back to the
# system profile.
source=/nix/var/nix/profiles/default/bin/${program}
fi
parentWrapperDir=$(dirname ${wrapperDir})
gcc -Wall -O2 -DSOURCE_PROG=\"$source\" -DWRAPPER_DIR=\"$parentWrapperDir\" \
gcc -Wall -O2 -DSOURCE_PROG=\"${source}\" -DWRAPPER_DIR=\"$parentWrapperDir\" \
-lcap-ng -lcap ${./wrapper.c} -o $out/bin/${program}.wrapper -L ${pkgs.libcap.lib}/lib -L ${pkgs.libcap_ng}/lib \
-I ${pkgs.libcap.dev}/include -I ${pkgs.libcap_ng}/include -I ${pkgs.linuxHeaders}/include
'';
@ -96,19 +87,6 @@ in
###### interface
options = {
security.setuidPrograms = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [];
example = ["passwd"];
description = ''
The Nix store cannot contain setuid/setgid programs directly.
For this reason, NixOS can automatically generate wrapper
programs that have the necessary privileges. This option
lists the names of programs in the system environment for
which setuid root wrappers should be created.
'';
};
security.wrappers = lib.mkOption {
type = lib.types.attrs;
default = {};

View File

@ -89,7 +89,7 @@ in
gid = config.ids.gids.exim;
};
security.setuidPrograms = [ "exim" ];
security.wrappers.exim.source = "${exim}/bin/exim";
systemd.services.exim = {
description = "Exim Mail Daemon";

View File

@ -273,7 +273,10 @@ in
message = "services.smokeping: sendmail and Mailhost cannot both be enabled.";
}
];
security.setuidPrograms = [ "fping" "fping6" ];
security.wrappers = {
fping.source = "${pkgs.fping}/bin/fping";
"fping6".source = "${pkgs.fping}/bin/fping6";
};
environment.systemPackages = [ pkgs.fping ];
users.extraUsers = singleton {
name = cfg.user;

View File

@ -93,7 +93,7 @@ in
{ services.cron.enable = mkDefault (allFiles != []); }
(mkIf (config.services.cron.enable) {
security.setuidPrograms = [ "crontab" ];
security.wrappers.crontab.source = "${pkgs.cronNixosPkg.out}/bin/crontab";
environment.systemPackages = [ cronNixosPkg ];
environment.etc.crontab =
{ source = pkgs.runCommand "crontabs" { inherit allFiles; preferLocalBuild = true; }

View File

@ -106,7 +106,7 @@ in
environment.systemPackages = [ pkgs.fcron ];
security.setuidPrograms = [ "fcrontab" ];
security.wrappers.fcrontab.source = "${pkgs.fcron.out}/bin/fcrontab";
systemd.services.fcron = {
description = "fcron daemon";
after = [ "local-fs.target" ];

View File

@ -62,7 +62,8 @@ in
'';
}];
security.setuidPrograms = [ "e_freqset" ];
security.wrappers.e_freqset.source = "${e.enlightenment.out}/bin/e_freqset";
environment.etc = singleton
{ source = "${pkgs.xkeyboard_config}/etc/X11/xkb";
target = "X11/xkb";

View File

@ -912,9 +912,10 @@ in
# If the linux kernel IS older than 4.3, create setuid wrappers
# for ping and ping6
security.setuidPrograms = mkIf (versionOlder (getVersion config.boot.kernelPackages.kernel) "4.3") [
"ping" "ping6"
];
security.wrappers = mkIf (versionOlder (getVersion config.boot.kernelPackages.kernel) "4.3") {
ping.source = "${pkgs.iputils.out}/bin/ping";
"ping6".source = "${pkgs.iputils.out}/bin/ping6";
};
# Set the host and domain names in the activation script. Don't
# clear it if it's not configured in the NixOS configuration,